California’s AG has the power to fix smart home camera ‘hacks’

Did you hear about the hackers who accessed peoples’ Ring doorbell cameras and Ring cameras, and shouted at them? Just like the Nest camera hacks of a few months back, these hacks were a result of someone having access to the users’ password and email combinations and trying them to see if they could log in to existing camera accounts. Nest and Ring weren’t hacked; user passwords were.

Luckily, there’s a solution that already exists to stop this: multifactor authentication. And an upcoming law in California could change the requirements around multifactor authentication for home cameras.

The fix for this problem rests mostly with the user and a little bit with smart home device makers. Device makers need to provide multifactor authentication, so when someone tries to access the account, they must also respond with a code sent to an existing cell number on file or in an app. This way the hacker needs the password and control of your cell phone to get access to your devices. People can still gain control of the cell phone number using a technique called a SIM swap, but that’s pretty tough to do and takes time.

On the user side, users need to create unique (and good) passwords. Ideally, for something as crucial as an in-home camera (especially if it is in a child’s bedroom), they will also turn on two-factor authentication. Both Nest and Ring offer two-factor authentication. People just have to turn it on.

Connected devices represent an entirely new security threat, opening up our homes in ways that are unprecedented. Of course, people who have strangers looking into their homes and yelling at them feel violated. It’s a huge transgression. And two-factor authentication is really inconvenient, which means that Ring and Nest don’t want to force it on onto people, because then people wouldn’t buy their products.

But they may not have much choice going forward. In January, California’s SB 327 law goes into effect. This law calls for device makers to implement “reasonable” security features. The definition of reasonable is vague, but the law does take into account the device’s function and the type of data it collects when determining how reasonable those security features actually are.

I’d argue that, given the rampant theft of consumer passwords from poorly secured databases and the potential harm of an easily accessed camera in the home, multifactor authentication becomes a “reasonable” standard of security for such a device. This will only affect new devices sold after the law goes into effect, but it’s a start. We’ll see if California’s attorney general agrees with my definition of reasonable in the near future.

Mozilla is already pushing to force Amazon to make buyers opt-out (rather than in) of multifactor authentication through a petition. A petition might not change anything, but enforcing SB 327 in this way would.

Enforcement has the bonus of making all vendors comply with this rule, which evens the playing field. This means that device makers are forced to implement multifactor authentication for certain devices even though consumers will find it inconvenient. It also means that they will have an incentive to develop more convenient multifactor authentication as a competitive advantage.

I’d like to see camera vendors figure out how to use alternative biometrics that might be more convenient and more secure. Face ID seems like a reasonable option to let people log in because most phones already have it. Forcing a face match before giving someone access to a camera seems reasonable, and is far less cumbersome to the user.

So while today things look grim for the makers and buyers of home cameras, I hope that California’s attorney general can help the industry out of this current reliance on passwords as the only thing standing between users and someone else getting on their smart home devices.