The man at Emily Morgan’s door wore a T-shirt and shorts. He didn’t carry a clipboard, a phone or the type of equipment Morgan typically associated with salesmen and utility repairmen. And she didn’t see any vehicles on the street that might have transported him to her yard. He seemed nervous.

“It was extremely odd,” the Los Altos resident said. “He just said, ‘I want to know how you like your Ring doorbell.’”

The man approached at least three other homes in Morgan’s Grant Road neighborhood that day, Sept. 7. All three featured Ring doorbells. While his intentions may have been innocent, the man’s conversation with Morgan combined with video footage missing from his visit to her home is a peculiar anomaly worthy of scrutiny, the Los Altos Police Department, a local cybersecurity expert and a representative from Ring, an Amazon company, agreed.

Morgan told the man she liked her Ring doorbell, but she grew uneasy when he proceeded to inquire about other security systems in her home.

“I said, ‘We’re not interested,’ and he went and left,” she said.

Later, when Morgan reviewed her Ring surveillance footage, she discovered the doorbell camera had filmed her husband prior to the man’s arrival and again as her husband exited the home to search for the man. It did not, however, record any part of the man’s visit.

“I couldn’t see his face,” Morgan said. “There was nothing there. It was black.”

Morgan eventually acquired Ring footage of the man from a neighbor who had not answered his door, and her husband supplied the video clip to the Los Altos Police Department.

The Town Crier asked the police department about the incident.

“We are not aware of any kind of crime related to this odd behavior, but we certainly encourage residents to call us if suspicious incidents like this occur,” Capt. Katie Krauss wrote in an email.

Potential theories

Timothy Ryan is a computer science instructor who teaches a Foothill College class titled Cybersecurity Fundamentals. He said it’s possible the man at Morgan’s door was attempting to gather information for a future break-in or that he carried some type of device capable of disabling her security system.

“He could have developed this technique himself by buying a Ring camera and evaluating flaws in the technology or he could have purchased a tool from a more sophisticated hacker,” Ryan wrote in an email to the Town Crier. “It did not just randomly happen in Los Altos, it is one of the wealthiest zip codes in the US, all the criminals are very much aware of that and plan their activities accordingly.”

Ryan referenced password-cracking software capable of rapidly testing usernames and passwords until landing on a match. Weakly constructed passwords are particularly vulnerable.

In a bizarre case that gained national media attention in December 2019, a man accessed a Ring camera within an 8-year-old Mississippi girl’s bedroom and taunted her. The girl’s mother later told reporters she had not set up two-factor authentication, or 2FA, for her Ring account, and a statement issued by Ring emphasized the importance of that security feature.

“While we are still investigating this issue and are taking appropriate steps to protect our devices based on our investigation, we are able to confirm this incident is in no way related to a breach or compromise of Ring’s security,” according to the statement, which was provided to a Memphis, Tenn., NBC News television station.

2FA is an additional security step beyond providing a username and password; it typically involves a service provider sending a one-time code to the email address or cellphone number associated with an account.

In January 2020, after recognizing consumers’ tendency to reuse usernames and passwords, Ring began requiring 2FA, said Yassi Shahmiri, the company’s director of communications.

“We realized making that security check optional was not enough,” she said.

A situation similar to what Morgan experienced in Los Altos previously unfolded 3,000 miles away. In February 2019, an intruder broke into a Chester County, Penn., family’s home, but neither their Ring doorbell nor their ADT security system, which operated on different Wi-Fi networks, recorded the man going inside, according to an article by WPVI, a Philadelphia-based ABC news station. The Ring doorbell recorded only his exit.

A security expert the family hired told WPVI the burglar may have disabled their Wi-Fi by guessing passwords or by blasting out crippling radio waves to jam the networks.

Documented software vulnerabilities

If the Morgans’ Ring doorbell was tampered with, the person responsible most likely gained access through their Wi-Fi network – not via their Ring account, Shahmiri said.

Ryan agreed that could be a plausible explanation. But he also pointed to documentation by the National Vulnerability Database, a repository of cyber vulnerabilities maintained by the federal government, that revealed flaws in versions of Ring’s software prior to the company’s 3.4.7 release. A 2019 database entry stated the software “mishandles encryption, which allows attackers to obtain audio and video data, or insert spoofed video that does not correspond to the actual person at the door.”

Ring subsequently released a statement indicating the problem had been fixed and encouraging customers to update their software.

Morgan said Shahmiri reached out to her last week and expressed her concern. She agreed Morgan’s encounter with the man seemed suspicious, and she encouraged her to change any vulnerable passwords, which the family has already done.

Ring issued another statement to the Town Crier Friday after speaking with Morgan: 

"Customer security is foundational at Ring. We have investigated this incident, and there was no unauthorized access to the customer’s account. Like any wifi-enabled device, any signal interference may affect Ring device performance."