Ring doorbells leak users' Wi-Fi passwords in clear text

News comes amid mounting criticism of the Amazon-owned surveillance company

Ring doorbell

A flaw found in Amazon's Ring doorbells could allow hackers to intercept owners' Wi-Fi passwords in clear text during the initial setup phase, according to security researchers.

The vulnerability has since been patched following Bitdefender's private disclosure to Ring, but the researchers said it could have provided a platform for attackers to "mount a larger attack against a household network".

Advertisement - Article continues below

The issue - a vulnerability that was initially discovered on 20 June 2019  - lies in the connection between the smartphone app and the Ring device. Data transmission takes place over the HTTP protocol instead of the more secure HTTPS.

The smartphone app sends the network details over to the Ring doorbell via an unprotected Wi-Fi network in order for it to connect to the residence's network and begin surveillance.

Using an open network and HTTP means nearby eavesdroppers would be able to listen to the communication between app and network and glean the password needed to launch a further attack.

Attackers can trick the owner of the IoT doorbell into reconfiguring the device by sending de-authentication messages so frequently the device dropped from the network. When the device is dropped and the user has restarted the setup phase, the attacker can sniff the network which will then reveal the clear text password.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"This latest IoT vulnerability highlights the urgent need for a new set of security standards and protocols that deal with the rapid emergence of connected devices," said Stuart Sharp, VP of solution engineering at OneLogin.

"Governments need to establish guidance and manufacturers need to be held responsible for following best practices when designing 'connected' devices," he added. "Standards won't eliminate all vulnerabilities, but they could bring order to what is right now the wild west of IoT."

Ring was criticised earlier this week for publicising the breadth of its surveillance powers in a series of Instagram stories. The social media stories showed how easily the company could track children going door-to-door trick or treating for Halloween.

The company's surveillance powers have been further evidenced by the sheer number of partnerships it has with police departments in the US.

Ring's neighbourhood watch product Neighbors is used by police forces to acquire residential footage without a warrant. In exchange, the roughly 600 police departments which are currently partnered with Ring must either implicitly promote the product or mention the company in Ring-approved statements, according to BuzzFeed News.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Visit/operating-systems/ios/355935/apple-confirms-serious-bugs-in-ios-135
iOS

Apple confirms serious bugs in iOS 13.5

4 Jun 2020
Visit/mobile/5g/355911/the-uk-pivots-to-japan-for-5g-equipment
5G

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020
Visit/security/ransomware/355945/new-ransomware-uses-java-to-target-software-organisations
ransomware

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020