Full Report
Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th. [...]
Analysis Summary
# Incident Report: Suspicious Login Activity and Potential Unauthorized Access on Ring Accounts
## Executive Summary
Users reported observing suspicious logins, unexpected devices listed in authorized clients, and live view activity on their Ring devices, suggesting a potential security incident or widespread account compromise. Ring initially denied a breach, attributing the activity to "previous logins." However, the persistence of unrecognized activity after reported backend updates and missing multi-factor authentication (MFA) prompts raised significant suspicion regarding account security.
## Incident Details
- **Discovery Date:** Undisclosed, reported starting when users posted on social media (e.g., Facebook) around the time of a backend update.
- **Incident Date:** Ongoing activity reported following a backend update by Ring.
- **Affected Organization:** Ring (Amazon-owned subsidiary).
- **Sector:** Consumer Electronics / Smart Home Security.
- **Geography:** Primarily U.S. customers reporting activity, as suggested by ongoing data breach notifications mentioned in related breaches.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, but coincided with a backend update implemented by Ring.
- **Vector:** Unclear based on the provided context; potential unauthorized access or credential stuffing leveraged by the backend change.
- **Details:** Users began seeing unrecognized logins and devices listed as authorized on their accounts.
### Lateral Movement
- **Details:** Users reported suspicious live view activity occurring when no household member was using the app, indicating potential unauthorized access to camera feeds.
### Data Exfiltration/Impact
- **Details:** Unauthorized access to security camera footage (live view activity) and potential viewing of device authorizations. Credentials for the Ring account are compromised if unauthorized logins persist.
### Detection & Response
- **How it was discovered:** Users proactively noticed and reported unauthorized device listings and activity on Facebook and social media platforms.
- **Response actions taken:** Ring stated the activity was due to "previous logins" from a backend update. Users were advised to manually review and remove unauthorized devices and change passwords/enable 2FA.
## Attack Methodology
- **Initial Access:** Unconfirmed, potentially leveraged through a bug or vulnerability following system updates.
- **Persistence:** Unclear, but the persistence of unauthorized device listings three days after an update suggests tokens or sessions were not properly invalidated or cleared.
- **Privilege Escalation:** Not applicable in the scope described other than the elevated access gained to view live feeds.
- **Defense Evasion:** The system failed to issue standard security alerts or MFA prompts for new/unrecognized devices accessing accounts.
- **Credential Access:** Not explicitly detailed, but necessary for unauthorized logins.
- **Discovery:** Unknown.
- **Lateral Movement:** Movement between authorized devices/users indicated by unauthorized live view access.
- **Collection:** Real-time viewing of security camera feeds.
- **Exfiltration:** Data viewing/recording of private live camera feeds.
- **Impact:** Invasion of user privacy and security compromise of home monitoring systems.
## Impact Assessment
- **Financial:** Not quantified in the context.
- **Data Breach:** Exposure of private security camera data (live feeds). Device authorization lists potentially exposed.
- **Operational:** Disruption due to users needing to manually manage security settings post-incident awareness.
- **Reputational:** Lack of transparency from Ring regarding the nature of the abnormal activity negatively affected customer trust.
## Indicators of Compromise
- **Network indicators:** Suspicious login locations/IPs (reported by users as countries they have never visited).
- **File indicators:** N/A.
- **Behavioral indicators:** Sudden appearance of unrecognized devices in the "Authorized Client Devices" list; unexpected live view activity; lack of MFA prompts during anomalous logins.
## Response Actions
- **Containment measures:** Users were instructed to immediately review the **Control Center** > **Authorized Client Devices** section and remove any unrecognised entries.
- **Eradication steps:** Users advised to change their account passwords.
- **Recovery actions:** Users advised to enable two-factor authentication (2FA) from Account Settings.
## Lessons Learned
- **Key takeaways:** Backend updates must thoroughly vet session management and device authorization tokens to prevent impersonation or unauthorized persistence.
- **What could have been done better:** Ring should have provided a clearer, proactive communication addressing the anomalous activity rather than dismissively attributing it to "previous logins." Critical security failures include the failure to trigger MFA/security alerts for new device access.
## Recommendations
- Implement rigorous pre-release testing for session management changes related to device authorization.
- Ensure that all account activity originating from system updates is logged and distinguishable from typical user logins.
- Mandate MFA for all re-authorization events that follow system-wide updates, or at minimum, ensure an immediate, clear notification is sent for all new device sessions, even if attributed internally.