Although people buy video camera doorbells from Ring manufacturer hoping to increase the security of their homes, a flaw in the software of these devices could expose its users to a new security risk. According to experts in ethical hacking, the flaw would allow a threat actor to extract username and WiFi password from the doorbell user.
According to Bitdefender’s report, the security
firm in charge of reporting the vulnerability, Ring’s parent company was
informed of this flaw last June; the vulnerability was corrected in the Ring
update for September.
It should be remembered that Ring is a company
dedicated to the manufacture of doorbells with surveillance camera; almost two
years ago, this company was acquired by Amazon
for almost $850 million USD. Currently, these surveillance systems are linked
to at least 580 police departments in the United States, integrating a
neighborhood surveillance network, ethical hacking experts report.
Explained in this way, installing Ring devices
in homes would seem like a good idea, although not everyone thinks their use is
recommended. Privacy specialists have expressed concern that these systems
connect directly to police stations, as well as the obvious exposure to threat
actors.
An additional concern is that this is not the
first time experts found vulnerabilities in Ring. A couple of years ago,
experts at Pen Ten Partners discovered a series of flaws in these devices that,
if exploited, allowed hackers to extract passwords from the WiFi network to
which the doorbell connects. Other research has shown that it is possible to
extract real-time images from these devices.
Ethical hacking experts mention that the
vulnerability lies in the connection between the video camera and the Ring app.
When setting up a device for the first time, the app must send a sign-in record
from the WiFi network to the doorbell. Because this information is sent over an
unencrypted network, any hacker could perform a Man-in-the-Middle (MiTM) attack
to intercept the sent data. It is important to note that the attacker must be
in a location close to the signal from the target WiFi network.
After the latest security issue was revealed in
Ring, the company released a statement: “The security of our devices and
the trust of our users are the most important thing to us. We want to report
that a security update was released to address the reported failure; the
problem has already been corrected.”
Due to its characteristics, this attack can
only occur during the device configuration process, mentioning ethical hacking
specialists from the International Institute of Cyber Security (IICS). However,
a hacker could also send fake messages to a user to try to trick them and have
them set the ring from scratch again, although the complexity of this scenario
increases considerably.
