During the last week of 2019, we covered the importance of security for Internet of Things (IoT) devices, better known as “smart” devices. Unfortunately, potential fears of hacking associated with such devices have been given real-life examples. Last month, Joseph Cox and Samantha Cole of VICE reported that a hacker compromised the Ring camera of a family in Mississippi. The camera was installed in the bedroom of three young girls. Chillingly, the hacker spied on them and had the gall to speak to them, telling them that he’s Santa Claus. The situation seemed like something out of modern horror movies.
Setting the IoT aside, passwords were at the root of the problem. VICE journalists searched crime forums and discovered posts about tools for hacking Ring accounts. These tools in particular consist of software designed to log into accounts by rapidly trying different username and password combinations, a brute-force approach for hacking accounts. A Ring spokesperson told VICE that Ring’s security wasn’t compromised, and that they recommend using two-factor identification, strong passwords, and regularly changed passwords to prevent account theft. Ring hardware and software wasn’t the issue; the account password was what ultimately compromised the family.
Sadly, many consumers choose weak passwords. Late last year, the Firefox Frontier noted that at least four major media outlets covered a stolen Disney+ account epidemic. These incidents provide an excellent example of how context can be used for guessing passwords. Passwords such as “princess”, the names of Disney princesses (“jasmine”, “cinderella”, etc.), “frozen”, “starwars”, “mickeymouse”, and “disney” were among the most commonly used passwords for Disney+ accounts. Just like “12345” or “password” are obvious passwords in general, these other passwords were obvious choices for Disney+ accounts. The context of using Disney+ meant that customers were more likely to choose Disney-themed passwords, which made these passwords easier to guess. Attackers likely obtained lists of usernames, either through theft or purchase from other hackers, then proceeded to try multitudes of combinations of usernames and weak passwords to access as many accounts as possible.
Just like Ring, Disney claimed that their system hadn’t been breached. However, families and individuals cannot rely on manufacturers and service providers alone: they must take their own measures to ensure their security, such as by choosing passwords that aren’t obvious. The Firefox Frontier lists some password security tips, including: using unique passwords (for each account), creating strong passwords, using a password manager, using multi-factor authentication, and monitoring your accounts for signs of intrusion. Hopefully, improving password security was included in the New Year’s resolutions of consumers. If not, it should be significantly considered as we move into the new decade.