Earlier this year, Amazon’s Ring Video Doorbell Pro IoT (Internet of Things) devices were reported to be affected by a flaw that leaked customers’ Wi-Fi usernames and passwords. Amazon’s Ring Doorbell leaks have been causing a growing problem over the past few months, and here’s why.
Researchers working at Bitdefender discovered the problem in Amazon’s smart doorbells that “supposedly” combine security cameras with motion-detection to help protect people’s homes against intrusion. But what about user’s privacy data? That’s important too. Imagine the irony of a security camera leaking your personal credentials.
According to Bitdefender’s whitepaper published online, whenever an attacker would physically come close enough to any Amazon’s Ring Video Doorbell’s, the hacker could easily exploit the flaw, becoming capable of intercepting user’s Wi-Fi network credentials.
Take a look at the excerpt below from Bitdefender’s researchers’ study, which clearly explains how the attack was done.
Vulnerability at a glance
When entering configuration mode, the device receives the user’s network credentials from the smartphone app. Data exchange is performed through plain HTTP, which means that the credentials are exposed to any nearby eavesdroppers.
Another important step in exploitation is the fact that a hostile actor can trigger the reconfiguration of the Ring Video Doorbell Pro. One way to do this is to continuously send deauthentication messages, so that the device gets dropped from the wireless network. At this point, the mobile app loses connectivity and instructs the user to reconfigure the device.
This is a very important and concerning issue, mainly because the proliferation of Amazon’s Ring doorbell surveillance cameras is not just a privacy and civil rights concern, but also a security threat.
The attackers could access user’s Wi-Fi credentials due to a problem in the initial configuration of the smart doorbell device. However, even worst, attackers could cause the device to fail and force a connectivity drop, and potentially even reconfigure the device to ultimately launch an attack on the home network.
That’s not only scary, but also not safety ensuring at all, which means that Amazon has some serious explaining to do.
Below you can take a look at the full press release on the issue.
Amazon’s Ring doorbells leaks customers’ Wi-Fi username and password
IMMEDIATE RELEASE: November 7, 2019
CONTACT: Evan Greer, 978-852-6457, [email protected]
Today, Cyberscoop reported a major security vulnerability in Amazon’s Ring doorbell app. Amazon’s Ring doorbells, which have already raised significant privacy and civil liberties concerns, have now been shown to be deeply insecure, exposing users Wi-Fi passwords to hackers.
With this Wi-Fi information, hackers can access customers’ personal home networks. It only gets scarier from there as hackers could use customer’s webcams to spy on them and their children, gain access to their bank accounts, and retrieve personal information necessary for identity theft.
“This is a classic example of how more surveillance does not mean more safety,” said Evan Greer, Deputy Director of Fight for the Future. “Amazon has consistently shown reckless disregard for privacy and civil liberties, but this is terrifying on a whole other level. Putting insecure cameras and listening devices around your home puts your family in danger. Congress should immediately investigate the threat posed by Amazon’s rapidly spreading, for-profit surveillance dragnet.”
Amazon’s surveillance network doesn’t only threaten our privacy and civil liberties, but our security as well. Meanwhile, millions of Americans continue to buy Ring products unaware of the dangers the technology and surveillance partnerships with police pose.
With over 550 partnerships across the country and millions of Americans potentially impacted, we need Congress to intervene. More than 10,000 people have already written lawmakers calling on them to investigate Amazon’s surveillance empire and their troubling partnerships with law enforcement.
While Amazon has already patched the vulnerability in its Ring smart doorbell device, that same flaw once again raises the security issues associated with IoT (Internet of Things).
Furthermore, the flaw also raises concerns about the persistent lack of security in smart-home devices that are exclusively designed to help people to protect their privacy and security; not to put those at danger and make it an aggravating issue.