11.10.19 – c/net -Chris Monroe
Amazon’s video doorbell sees who’s at your doorstep. For months, anyone on its open network could have seen your username and password.
People buy RIng’s to bring a sense of safety to their homes, but a software flaw left their network’s security wide open, researchers said. The flaw, disclosed Thursday, would have allowed potential attackers to steal a Ring owner’s Wi-Fi username and password, according to cybersecurity company Bitdefender.
The security company first informed Ring’s parent company about the issue in June, and released a fix for the vulnerability in an automatic update in September, the researchers said.
Ring is a video doorbell company owned by Amazon, which bought it for $839 million in February 2018. It has partnered with at least 587 police departments across the country, offering law enforcement access to an impromptu surveillance network in residential neighborhoods.
Privacy advocates have raised concerns about Ring’s close ties to police, pointing out issues with civilian-backed surveillance, along with potential hacks on the internet-connected devices.
And now comes the vulnerability disclosed by Bitdefender on Thursday.
“Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched,” Ring said in a statement.
The vulnerability happens in the video doorbell’s communications with Ring’s app. When you first set up your Ring device, the app needs to send your Wi-Fi network’s login information to the doorbell.
It had been sending this sensitive information over an unencrypted network, which meant that anyone viewing that network could have seen your username and password for your Wi-Fi. The potential hacker would have to be within range of your Wi-Fi to carry out this attack.
While this attack can only take place during the video doorbell’s setup process, a hacker could also send fake messages to the person to trick them into setting up the doorbell again, the researchers said.