Apparently yes, but also apparently that’s above the pay grade of most customers.
I’m not sure if that would require the token every time you wanted to use the Ring app on your phone, or just the first time you paired the phone with the service. From: AF <af-boun...@af.afmug.com> On Behalf Of ch...@wbmfg.com Sent: Saturday, December 28, 2019 12:15 PM To: 'AnimalFarm Microwave Users Group' <af@af.afmug.com> Subject: Re: [AFMUG] Ring doorbell lawsuit Is there a two factor option for ring? From: Ken Hohhof Sent: Saturday, December 28, 2019 6:26 AM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Ring doorbell lawsuit In the case of Ring doorbells, I believe the doorbells communicate with a cloud server, in which case the doorbell’s IP address and whether or not you have a firewall is irrelevant. Most cameras work this way, although some seem to act as servers and let the mobile device app contact the camera directly, I assume via some sort of dynamic DNS. Reportedly all it takes to access your Ring account and access the doorbell or camera is your email address and password. These “hackers” are using email/password combinations from previous data breaches and trying them against the Ring service to see which ones work. Once Ring grants access to your account, they can view your stored video, watch the camera in real time, or even talk through the speaker. It’s like hacking someone’s Gmail account, except Gmail does a better job of alerting you to suspicious login attempts. The reporting on this doesn’t do a very good job on this detail, you could get the impression they are directly accessing your device over the Internet and hacking into it, rather than hacking into your cloud account Ring’s servers. https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security I would also point out that firewalls don’t protect against a device on the trusted side establishing a connection to the outside, and also that all bets are off if you enable UPnP. From: AF <af-boun...@af.afmug.com <mailto:af-boun...@af.afmug.com> > On Behalf Of Matt Hoppes Sent: Saturday, December 28, 2019 9:44 AM To: AnimalFarm Microwave Users Group <af@af.afmug.com <mailto:af@af.afmug.com> > Subject: Re: [AFMUG] Ring doorbell lawsuit I appreciate an honest conversation. To me the whole “use temporary IPs” thing just says we are offering security through obscuring what IP it might be at. On Dec 28, 2019, at 9:34 AM, Adam Moffett <dmmoff...@gmail.com <mailto:dmmoff...@gmail.com> > wrote: Matt, I really appreciate your candor. Your opinions often get flak for being blunt rather than being wrong and I think you don't deserve the heat as often as you get it. But in this particular case, that definitely doesn't meet the definition of security through obscurity. -Adam On 12/28/2019 3:17 AM, Matt Hoppes wrote: So security through obscurity. Got it. On Dec 27, 2019, at 10:17 PM, Cassidy B. Larson <c...@infowest.com <mailto:c...@infowest.com> > wrote: temp ips are used until the tcp session ends for that stream. If I have an ssh window open for a day, the temp IP is still showing in my interface config, but only until that particular ssh session is closed. New tcp sessions for a bank website would use a different temp IP then get expired after an hour or so if nothing else is using that temp address. Inbound connections to temp ips that are not already “setup” (similar to a router nat translation rule) would be blocked by the os as temp ips are for outbound connections only. On Dec 27, 2019, at 20:07, Matt Hoppes <mattli...@rivervalleyinternet.net <mailto:mattli...@rivervalleyinternet.net> > wrote: Second time I’ve heard this. If it’s using random addresses how does anything communicate back with it? And things like banks that secure sessions based on ip addresss will break if the IP changes with each click. On Dec 27, 2019, at 9:58 PM, Cassidy B. Larson <c...@infowest.com <mailto:c...@infowest.com> > wrote: IPv6 uses temporary addresses for sourcing outbound connections. Some random joe trying to connect back to that temp IP they found in their logs wont get them anywhere. Of course, who knows if your ring doorbell on v6 might actually implement temp ipv6 ips. On Dec 27, 2019, at 6:53 PM, Matt Hoppes <mattli...@rivervalleyinternet.net <mailto:mattli...@rivervalleyinternet.net> > wrote: You’re putting a lot of faith in that SOHO router. I know NAT is not a firewall, but even poorly configured it takes some effort to open ports. With ipv6 dropping the inbound firewall is rather trivial. On Dec 27, 2019, at 8:24 PM, Adair Winter <ada...@amarillowireless.net <mailto:ada...@amarillowireless.net> > wrote: it's not like that won't be firewalled... NAT doesn't stop anything a firewall wouldn't. Consumer routers are going to come out of the box with in incoming deny. On Fri, Dec 27, 2019 at 7:21 PM Matt Hoppes <mattli...@rivervalleyinternet.net <mailto:mattli...@rivervalleyinternet.net> > wrote: And we want to roll ipv6 out to every device in the house and let them on the internet directly.... On Dec 27, 2019, at 8:05 PM, Ken Hohhof <af...@kwisp.com <mailto:af...@kwisp.com> > wrote: I am no fan of Amazon or of Ring doorbells. But seriously, you can sue them for not forcing you to use two factor authentication? Even when the customers say they have no idea what two factor authentication is? As I understand it, these devices weren’t so much hacked as people chose weak passwords, or the same password as something else that had a data breach. It also seems that the class action suit waiver agreeing to arbitration should get the suit thrown out, but who knows. https://www.vox.com/recode/2019/12/27/21039517/amazon-ring-hacking-lawsuit I’m guessing people are filling their homes with “things” that will have similar problems. Oh, and I had the radio on in the car and the one guy said “Hey Alexa” and the other guy scolded him for saying “the A word”. Evidently if you give Alexa an instruction on the radio, thousands of houses get their lights turned on or thermostat turned up or whatever. -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- Adair Winter VP, Network Operations / Co-Owner Amarillo Wireless | 806.316.5071 C: 806.231.7180 <http://www.amarillowireless.net/> http://www.amarillowireless.net <http://www.amarillowireless.net/> -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com _____ -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
