Camera was hacked

Ring Camera Hacking

Unauthorized account access due to weak or compromised credentials is not the same thing as “hacking.” If someone enters a correct username and password into the system, it’s obviously going to give them access.

6 Likes

True, hacking is the automated scripts to find the compromised accounts. Just pointing out this is an User Issue in most cases.

2 Likes

Very rare it’s a “hack” versus a user having an easy password. Always use strong passwords and never use the same password more than once. Setup and use MFA if it has the feature.

3 Likes

Notice: This post is for folks who aren’t familiar with 2FA, Password Managers, and VPN.

As far as password security, 2FA is awesome. However, having a strong password is essential. I use a password manager which lets me create passwords with one click and as lengthy as I want with unique characters. Here’s an example: 4QHzm%7vVrFxZw$cSArh^zEz92u8RV

A good password/security setup would be like this:

  • Sign up for a password manager account with the company of your choosing (Lastpass, 1password, Bitwarden, etc.)
  • Create a strong master password for the password manager account and activate 2FA.
  • Use the password generator in your password manager to create passwords like the one I posted above.
  • Do not reuse/share passwords. Create new strings for each account.
  • Change your passwords for all your online accounts; I know this might be a long choir but you can do it when you’re accessing each account. Before long, you’ll have them all changed. Sadly, US banks (at least the ones I deal with) still rely on SMS verification instead of 2FA so the accounts that should have the most security actually have the least secure verification method. Sigh. Oh, if you’re not aware, SMS can be intercepted and hijacked.
  • I highly recommend that you sign up for a VPN service, especially if you use public wifi networks like in airports, Starbucks, etc… To keep it simple, a VPN masks your IP (think of it as your digital ID) by routing all your web activities through the VPN service’s servers before sending the traffic back to your device. For example, you visit wyzecam.com without having a VPN. Wyzecam staff would be able to see your IP and tell where you are connecting from. If you had a VPN, you connect to wyzecam.com and they will see the IP of the VPN server and not your actual IP address. Of course, your online browsing is anonymous as long as you don’t sign into an account that might have your real info.
  • Use a browser that respects your privacy like Firefox. Steer clear from Google.

My personal software recommendations:

  • for password managers: Bitwarden. Why? It’s open source and is reviewed by qualified developers. You can also host the software on your own server if you distrust having your passwords saved on some company’s cloud servers.
  • For 2FA: AUTHY. Why? You can install Authy on multiple devices so if you lose your phone, you won’t lose access to all your accounts. I have it installed on my phone and PC. I also use their backup feature which saves the 2FA codes in the cloud.
  • Browser: Firefox. Why? I have complete control over the privacy settings unlike with other browsers. Not to metion, it’s faster and less of a resource hog than Chrome.
  • VPN: Torguard or PIA. Why? Both are excellent services that don’t actually keep logs.
  • Email: Zoho Mail if you use free email. If you can afford it, get ProtonMail. Why? Email encryption.
  • Payment methods: Privacy.com. Why? It lets you create virtual cards with specific spending limits. You can also use ANY billing/shipping address, and even the name on the card doesn’t have to be real. It’s great to minimize the risk of debit card theft. It’s free to use as they take a portion of the processing fees from the seller. It’s like Paypal but better.

Whatever you take from this, please follow these no matter what:

  • Use 2FA if possible.
  • Don’t reuse the same password on online accounts.
  • Don’t use Gmail.

Last tip: If you need help finding alternatives to Google services, visit this website for a nice list:

Hope this helps!

9 Likes

The core problem with hacking is it is the user’s fault. Yes, good developers and companies will anticipate the various ways users will not be smart, and correct for this… but bottom line is if you get hacked, it’s your fault.

So how to you prevent ever being hacked? I’ve been developing software and using a computer for 37 years. Here’s my 2 cents:

  1. Use a password manager and let it assign all your passwords. You only need to remember one then. And no passwords are repeated on all your other sites then, and you can specify to make them complex and strong. BUT for your one/main password, make that one password as long as possible. Seriously, at least 16 characters. 24 is even better. And before y’all complain “I can’t remember that”… it’s not hard to take a familiar 4-character password and repeat it 4 times and vary it each time a bit, or your favorite 8-character password and repeat it 2 (or 3) times. For example… “pony” becomes “ponyPonyPONYpony”. or “Light123” becomes “Light123Light123” or “Light123Light321”. If you throw in just one special character, that’s an added security bonus and multiplies your complexity.
  2. But, it’s not the complexity that really matters, as most “experts” tell you. You DO NOT NEED special characters and all the other junk they force you to use. LENGTH of password is CRUCIAL. If you had a special-character password of 8 characters, and I had one using just normal letters but 16 characters long, your password will be hacked LONG before mine will.
  1. all of these people on the news with their Ring cameras getting hacked… it was their fault. They did not care about security AT ALL and ignorantly used some simple username and password that they’ve probably used on a hundred other sites. Don’t fall into this trap.
  2. If you are up to it, or know someone who can set it up for you… you really should think about separating all your smart devices (TV’s, cams, appliances, etc) onto a subnet for your home network. That way, in case any of them are breached (they have far less security than your phone or laptop), none of your valuable devices are compromised on the main network.
  3. At least twice a year, you should change all your passwords. If you use a password manager, this is very easy. Why? well, in case one of your smart devices was hacked, the hacker could have placed a small bot in it to expand a botnet and do some dirty work for the hacker (including constantly eating your bandwidth or probing your network to get at your personal data, or even using your resources to help them commit cybercrime!)

Moral of the story? Use a long password. Don’t repeat any passwords for any accounts you have, so use a password manager to keep track of them. Try to use different login ID’s if you can also. Enable 2-factor authentication whenever and wherever possible!

6 Likes

omg I just wasted 15 minutes typing a response to the main post that said EXACTLY the same thing lol.

I could move your post to #tips-and-tricks if you would like. That way the entire community could benefit from it. It is well written. :slight_smile:

2 Likes

Whatever you think is appropriate :slight_smile: nyrangers also had a good post, and though it has more things (such as using VPN) it’s also a great candidate to put over there. My post was a knee-jerk reaction to the original post which suggested that Wyze products are insecure (lol) and implied that companies are responsible for the mis-use of their products ;). I love your cameras btw.

I wish I could take credit, but I don’t work for Wyze. Moderators and Mavens are customers like you who volunteer to help out on the forum. :slight_smile:

5 Likes

You added some good pointers that I didn’t mention. I’m just trying to raise some awareness about protecting our privacy online. Whether it’s from big corporations, hackers, or your nosy neighbors. Sharing your life on Facebook might have been “cool” a decade ago but social engineering isn’t something to be taken lightly nowadays. I would also recommend getting a burner phone that is used for your banking and other extremely sensitive accounts instead of using your regular home or cell number. What I mean by burner phone is a prepaid cellphone service that you pay for WITH CASH and isn’t tied in any way to your real name. This would cost you around $5-$10 per month only and it’s worth the extra security it provides.

The reason for all this is simple, google yourself and you’ll most likely find your current and previous address, phone numbers, email addresses, relatives and your name (even your middle name) and your DOB. It’s SCARY how easy it is for a hacker to gain all this info by a simple search which can be used to hijack your online accounts.

Here’s a scenario: You connect to the wifi in your university, airport, or local coffee shop and lurking around is a nefarious hacker that has gained access to your device through the unsecured network. You send an email, log into your accounts, you post on social media and this hacker has been intercepting it all. They now know your name, email, and the passwords for the accounts you used so far. They will use a bot (a program) that will take those emails and passwords and try them on major sites hoping you used the same credentials on other sites. Then, they will google you and come up with the rest of the info (address, DOB, middle name, etc.) to help them even further.

You’re wondering what the chances are of this happening to you. For me, this hit home when a close friend of mine had her home robbed TWICE when she was away on vacation, had her identity stolen a year later and it got me thinking. She’s not tech savvy at all. On a scale of 1-10, she’s a definitely a 1 (she knows how to send an email but does not know how to create a spreadsheet, no joke). She also shops online from random and unknown websites using her actual credit card and personal info. She posts on social media about her actual location and what she’s doing. There are so many security gaps here that it makes my cringe. You can see it too, right?

I’ve been in your shoes, reading all this thinking that it would be a hassle to implement these changes. I can assure you I’m actually SIMPLIFYING your digital life. I enter ONE password to gain access to all my other passwords. I have them auto-filled in the browser by the password manager. The VPN turns on and auto-connects when I turn on my computer with zero interaction from me. The browser privacy settings were configured once and I reap the benefit of it each time I browse the web. Ever since I implemented all the above, along with the habit of jotting down my to-do things and schedules, I feel my brain is de-cluttered and I’ve been sleeping better at night.

2 Likes

I’m guessing you’re being sarcastic,
But, just in case you’re not…
You actually can change your user account name with Wyze through Wyze.com.
You can change it via your profile settings page.
The other option is to delete your cameras from your account, then create a new account, and set the camera’s up again with that new account.

2 Likes

But , You can’t change your username (screen name) you can get it changed by contacting support or a moderator

2 Likes

One good thing to do is check https://haveibeenpwned.com/ to see if your email address has been included in any data breaches.

Reiterating what others have stated, use a password manager (Lastpass, 1password) with a very secure password, and make sure every site you visit you create a different random password for. That way if an account is breached, it doesn’t affect anything else, and with the password manager you don’t need to remember them. They all have apps for pretty much all platforms, so whether on your phone, tablet, or computer you’ll be able to access them.

Quick recommendations for the secure password for that - instead of trying to make it super complex, try to make it long ans easy to remember. Four to five random works strung together are a million times more secure than an eight digit random password. So make your password for the manager something like “PizzaHouseBlueTonkaHorse” and you will find it a lot easier to remember those 5 words, and with 24 characters it’s essentially impossible to brute force attack. Just remember to keep them random, don’t use a common phrase like “HaveAMerryChristmas”.

4 Likes

Is Wyse going to implement integration with an authentication app like Google Authenticator or 1Password so that we can just put in a random code INSTEAD of getting a code sent to a phone number?

The issue I have with sending to a phone is that my wife and I use the cameras and if she accesses the camera and needs the code it will get sent to my phone, not hers since there is only one phone number in the 2FA.

If we can use an app like Google Authenticator, then who ever has the app and the code, they can get in… which is way better.

3 Likes

I think you would be interested in this Wishlist request. :slight_smile:

Pick a two or three digit number. Pick a long verb. Pick a long noun. Put them all together, like 29BouncingPenguins, or 640ScreamingSpartans. Three random things are easier to remember than 20 random characters.

1 Like

As an added bonus, if you need a new name for your punk band, you can follow the same formula. :slight_smile:

…Or a 21st-century update for “The 12 Days of Christmas”

FIIIIIVEEEEE GOOOLLLLDD RIIINNNNGSSS!

2 Likes

Was the OP able to upload the intruder video to Wyze or did they post it here? Just my basic smell test, sorry for chiming in so late. I have all my “indoor cams” mounted outdoors so who really knows how many times I’ve been hacked.

I keep foil tape over all my Alex’s for the protection of the hackers :slight_smile:

Better to use a password manager, so you only have to remember one long passphrase, rather than trying to remember long passwords for every site. Also, keep in mind one will encounter some sites that limit the password to a rather short length, at which point being random becomes far more important.

Keep in mind that unless a site has truly crappy security, one isn’t going to be concerned about an account being compromised by multiple attempts at the password, as a site with decent security should start throwing up roadblocks after multiple attempts (e.g., rate limiting, or even blocking attempts from that IP address). What you are really protecting against is if someone breaches the company and gets the hashed password database and runs an offline attack against it, which can employ more sophisticated methods (such as a rainbow table), that will relatively quickly discover the passwords that are the least complex and shortest.

1 Like