Amazon Fixes Ring Video Doorbell Flaw That Leaked Wi-Fi Credentials

Attackers could access Wi-Fi credentials due to a problem in initial configuration of the smart doorbell device.

UPDATE

Amazon has patched a vulnerability in its Ring smart doorbell device that could allow attackers to access the owner’s Wi-Fi network credentials and potentially reconfigure the device to launch an attack on the home network, researchers have found.

Researchers discovered the problem in Amazon’s Ring Video Doorbell Pro IoT device, a smart doorbell that combines security cameras with motion-detection to help protect people’s homes against intrusion.

If exploited, the problem, outlined in a whitepaper published online, would allow an attacker physically near the device to intercept Wi-Fi network credentials, according to Bitdefender that discovered the flaw.The security firm informed Amazon of the flaw in June. After several months of back-and-forth communication, Amazon issued a patch for the device earlier this week.

The key issue with Ring exists in how users first configure the device, which requires the device’s smartphone app to use a wireless connection to send the wireless network credentials to the smart doorbell, researchers said.

“This takes place in an unsecure manner, through an unprotected access point,” researchers wrote. “When entering configuration mode, the device creates an access point without a password (the SSID contains the last three bytes from the MAC address).”

Since this data exchange is performed through plain HTTP, anyone eavesdropping on the network can access the credentials, researchers said.

While your neighbor using your Wi-Fi may not seem like the end of the world, the issue has another component that can allow for a more expansive attack and access to other smart devices on the network, researchers said. Bad actors could use the exploit to trigger reconfiguration of the Ring Video Doorbell Pro, researchers said.

“One way to do this is to continuously send deauthentication messages, so that the device gets dropped from the wireless network,” according to Bitdefender. “At this point, the mobile app loses connectivity and instructs the user to reconfigure the device.”

No Amazon Ring users at this point appear to have been affected by the flaw.

Bitdefender’s first disclosure of the problem to the company was on June 20; Amazon patched the issue in September; and coordinated disclosure of the flaw occurred on Nov. 7.

“Customer trust is important to us and we take the security of our devices seriously,” a Ring spokesperson told Threatpost. “We rolled out an automatic security update addressing the issue, and it’s since been patched.”

Indeed, the vulnerability once again raises the security issues associated with the IoT, especially the persistent lack of security in smart-home devices aimed at helping people protect their privacy and security, not exacerbate it.

This post was updated at 2:40 p.m. ET on Nov. 8 with a statement from Ring.

This post was updated at 10:30 a.m. Nov. 13 to correct an error regarding the timing of Amazon’s patch.

What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

 

Suggested articles