Internet-connected doorbells sold by Amazon’s Ring service reportedly contained a security vulnerability.
According to researchers from Bitdefender (via TechCrunch), a security vulnerability in Amazon’s Ring Video Doorbell Pro devices could have allowed attackers to exploit the internet-connected doorbell to intercept the owner’s wi-fi credentials, giving hackers unauthorized access to the network – and potentially to other devices on it.
Bitdefender found that the Ring Video Doorbell Pro’s companion smartphone app sent wireless network credentials to the device in plain HTTP language during the set-up and configuration stage. Bitdefender said the flaw meant there was a chance that an attacker could trick the user into believing the doorbell was malfunctioning by repeatedly targeting the device with de-authentication messages so that it was dropped from the Wi-Fi network.
“When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point,” said Bitdefender. “Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”
To restore full functionality, the user would then have to reconfigure the device, at which point their credentials would be exposed.
Bitdefender said it first approached Amazon in June 2019 and was given a PGP key so it could send details of the vulnerability over a secure channel. It was then invited to report via Amazon’s HackerOne bug bounty program. After some back and forth between the two, a partial fix was deployed on September 5.
“All Ring Doorbell Pro cameras have received a security update that fixes the issue described,” said Bitdefender in its disclosure. “We appreciate the Ring team’s efforts to mitigate the issue and keep their customers safe.”
Ring is a video doorbell company owned by Amazon, which bought it for $839 million USD in February 2018. It has partnered with at least 587 police departments across the country, offering law enforcement access to an impromptu surveillance network in residential neighbourhoods.
Privacy advocates have raised concerns about Ring’s close ties to police, pointing out issues with civilian-backed surveillance, along with potential hacks on the internet-connected devices.