Internet-connected doorbells sold by Amazon’s Ring service contained a security vulnerability that would have made it possible for hackers to intercept a customer’s Wi-Fi username and password, then launch a larger attack on the network, according to findings made public Thursday.
Researchers from the Romanian security firm Bitdefender discovered earlier this year that when a user first configured their Ring doorbell app, it accepted credentials in an unsecure format as it created a new digital access point. Then, when that network went live, the Ring app automatically obtained the Wi-Fi credentials and sent them to the local network.
All of those transmissions were sent through an unencrypted HTTP format, meaning anyone with access to that open network could have obtained the Wi-Fi username and password, Bitdefender said. Researchers notified Amazon about the issue, and the company delivered a security patch via an automatic update. (Hackers likely would have needed to be within a close physical proximity to carry out this attack.)
The insecure connection goes through the user’s local network to the api.ring.com API. The Ring app also communicates with other APIs to carry out other tasks, but those commands are executed in a secure TLS format, the researchers noted.
This flaw only was the latest example of connected technology that promised to secure victims, while actually introducing a new vulnerability onto their home network. Netgear Arlo home surveillance cameras and Zpitao smart hubs, which can lock or unlock doors remotely, both relied on easily hackable technology that would have enabled outsiders to view video recorded at their home, or unlock the doors.
But security issues in Ring technology are unique because the doorbells record motion-triggered video from up to 30 feet away. The devices are so effective as surveillance equipment that police departments throughout the U.S. have started offering discounts to citizens, and sometimes use tax dollars to pay for Ring products, as CNET and other outlets have reported in detail.
By offering incentives, local officials effectively encouraging citizens to help build a video surveillance network that expands what police otherwise would have been able to build. But flaws in that equipment also could render all those users vulnerable to the same attacks, and they may never even know it.