Hackers might have gained unauthorised access to the internet-connected Ring doorbell and potentially any other devices connected to it.
A security vulnerability which was discovered could have allowed cyber criminals to intercept the owner’s wi-fi networks.
Since the possible breach was discovered, Ring Doorbell Pro cameras have now received a security patch to mitigate the issue.
The home security devices have become one of the most popular internet-connected doorbells installed in smart homes.
They have motion-sensing and video surveillance capabilities that allow users to see and communicate with anyone outside their door via an app — even if they’re not at home.
These have proved especially popular with people who are at work during the day and want to keep a check on callers whilst they are away from the home.
The doorbells give them piece of mind that that unwanted visitors could be warded off, as they can speak to them through the device even though they are not actually at the property.
The security problem was discovered because when the device first connects to the network the smartphone app needs to send the wireless network connections to the Amazon Ring servers in the cloud and this was found to be insecure and open to hacking.
Researchers from Bitdefender found that the device creates an access point without a password, but the credentials of the network are also sent using HTTP, which means they can be exposed to nearby attackers.
Hackers
Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet: “The application and the device communicate over HTTP, not over HTTPS, as the best security practices warrant. HTTP is a ‘sniffable’ protocol, which means that everything exchanged between parties can be eavesdropped on by a potential actor within physical proximity.”
Any attacker wishing to exploit this technology would need to know that the target is a Ring user, which is easy to do as the device would be visible.
The researchers discovered that hackers wishing to gain access to the network credentials would not have much difficulty as they are transferred via an open network and would simply trick the user into believing their device is malfunctioning so that they rerun the initial authentication process that leaked the network details.
This could be done by sending deauthentication messages that appear to show the door is no longer connected to the internet.
Harvest
The app would then think that the device should be reconfigured, and the hacker can then harvest all information and connect the router themselves, plus any other devices without password protection.
Astonishingly, this could let the hacker have access to a raft of private information on the network, such as private files and photographs.
They could even listen to or watch IP camera footage from within the home.
Botezatu added: “The doorbell receives the Wi-Fi network password in plain text. Anyone who has access to the password in the proximity of the router can connect to the respective network and start probing for new devices, access network shares or even control equipment.”
Bitdefender contacted Amazon Ring after they discovered the potentially damaging flaw in the system.
A Ring spokesman told ZNet: “Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched.”