Researchers have identified a vulnerability in Ring doorbells that revealed the passwords for the WiFi networks to which they were connected.
Ring, which was acquired by Amazon after paying $1 billion in February 2018, is an outdoor home security company that provides homeowners a line of preventative security doorbells and cameras. This alarming news of the WiFi cracking problem in their doorbell raises many questions about their credibility.
Bitdefender, a security company that discovered this vulnerability, said that Amazon’s Ring doorbell was sending owners’ hidden information like WiFi passwords in plaintext as the doorbell connects the local network. This allowing nearby hackers to catch or sniff the WiFi password using different simple techniques.
Bitdefender(pdf) concluded that,
“When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an insecure manner, through an unprotected access point,…Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”
This bug allowed intruders to access one’s WiFi network, potentially infiltrating smart home devices as well as photo or video surveillance raising privacy concerns. All of this is carried out due to an unencrypted connection, which is exposing the secure details that are sent through wireless communication, i.e., over the air.
Amazon had previously delivered the updates in the past a bid to improve security weaknesses in all its Ring devices in September recently, but this vulnerability remains undiscovered.
A Ring spokesman spoke to ZDNet said, “Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched.”
An update to fix the problem is already dispatched. It will automatically update the software with this security update.
This news causes quite a stir in the users of home security products. This discovered vulnerability is mainly found in Ring Video Doorbell Pro. Discovery in the rest of the products, including the Ring Video Doorbell 2 and the entire video doorbell product line, is still at large. Amid all of these, Bitdefender gave a clean chit to this particular device after the update.
Unrestricted access to videos in 2016
Ring has not taken privacy as the first priority in the past as well. In 2016, Ring was found to be using no encryption on videos that were available publically to anyone. According to a detailed report by The Intercept, in 2016 Ring outsourced some of their R&D work to a team in Ukraine known as Ring Labs. Ring provided public level access to a folder on Amazon’s S3 cloud storage service that stored every video created by every Ring camera across the globe. Additionally, a database using which one can search for any Ring user for his videos was provided too.
It is yet another example of smart home technology bearing security concerns. As smart home devices are considered as reliable, designed to make our lives easier and homes more secure, researchers keep dismantling this narrative by discovering vulnerabilities in them, which subsequently jeopardize the home security altogether.
At the time of writing, Ring Video Doorbell 2 is available for 60% off. Buy at Amazon.com.
Featured image: BestBuy