Ring doorbells had vulnerability leaking Wi-Fi login info, researchers find

11.10.19 – c/net -Chris Monroe

Amazon’s video doorbell sees who’s at your doorstep. For months, anyone on its open network could have seen your username and password.

People buy RIng’s video doorbells to bring a sense of safety to their homes, but a software flaw left their network’s security wide open, researchers said. The flaw, disclosed Thursday, would have allowed potential attackers to steal a Ring owner’s Wi-Fi username and password, according to cybersecurity company Bitdefender.

The security company first informed Ring’s parent company about the issue in June, and released a fix for the vulnerability in an automatic update in September, the researchers said.

Ring is a video doorbell company owned by Amazon, which bought it for $839 million in February 2018. It has partnered with at least 587 police departments across the country, offering law enforcement access to an impromptu surveillance network in residential neighborhoods.

Privacy advocates have raised concerns about Ring’s close ties to police, pointing out issues with civilian-backed surveillance, along with potential hacks on the internet-connected devices.

This isn’t the first time Ring has had a vulnerability in its video doorbells. In 2016, security researchers from Pen Ten Partners found flaws with Ring’s doorbell that would allow potential hackers to steal Wi-Fi passwords. The company issued a fix, but that wasn’t the end of the story. In February, security firm Dojo Bullguard hacked a Ring doorbell in real time at Mobile World Congress, allowing an attacker to view footage from the device’s video feed.

And now comes the vulnerability disclosed by Bitdefender on Thursday.

“Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched,” Ring said in a statement.

The vulnerability happens in the video doorbell’s communications with Ring’s app. When you first set up your Ring device, the app needs to send your Wi-Fi network’s login information to the doorbell.

It had been sending this sensitive information over an unencrypted network, which meant that anyone viewing that network could have seen your username and password for your Wi-Fi. The potential hacker would have to be within range of your Wi-Fi to carry out this attack.

While this attack can only take place during the video doorbell’s setup process, a hacker could also send fake messages to the person to trick them into setting up the doorbell again, the researchers said.