Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network.
In case you don’t own one of these, Amazon’s Ring Video Doorbell is a smart wireless home security doorbell camera that lets you see, hear and speak to anyone on your property from anywhere in the World.
The smart doorbell needs to be connected to your WiFi network, allowing you to remotely access the device from a smartphone app to perform all tasks wirelessly.
While setting up the device for the very first time and share your WiFi password with it, you need to enable the configuration mode from the doorbell.
Entering into the configuration mode turns on a built-in, unprotected wireless access point, allowing the RING smartphone app installed on your device to automatically connect to the doorbell.
However, researchers told The Hacker News that besides using an access point with no password, the initial communication between the Ring app and the doorbell, i.e., when you share your home’s WiFi password with the doorbell, is performed insecurely through plain HTTP.
Thus, a nearby attacker can simply connect to the same unprotected wireless access point, while the setup in the process, and steal your WiFi password using a man-in-the-middle attack.
Since this attack can only be performed during the “one-time initial configuration” of the device, you might be wondering how an attacker can leverage this loophole after the device has already been configured.
Researchers suggested that by continuously sending de-authentication messages to the device, an attacker can trick the user into believing that the device is malfunctioning, forcing him to re-configure it.
“Attackers can trigger the reconfiguration of the Ring Video Doorbell Pro.
One way to do this is to continuously send deauthentication packets, so that the device is dropped from the wireless network.
At this point, the App loses connectivity and tells the user to reconfigure the device,” the researchers told The Hacker News.
“The live view button becomes greyed out and, when clicked, the app will suggest restarting the router or pressing the setup button twice on the doorbell.
Pressing the button twice will trigger the device to try to reconnect to the network – an action that will fail.
The last resort is to try and reconfigure the device,” Bitdefender said in a blog post.
Once the owner enters into the configuration mode to re-share WiFi credentials, the attacker sniffing the traffic would capture the password in plaintext, as shown in the screenshot.
Once in possession of a user’s WiFi password, an attacker can launch various network-based attacks, including:
- Interact with all devices within the household network;
- Intercept network traffic and run man-in-the-middle attacks
- Access all local storage (NAS, for example) and subsequently access private photos, videos and other types of information,
- Exploit all vulnerabilities existing in the devices connected to the local network and get full access to each device; that may lead to reading emails and private conversations,
- Get access to security cameras and steal video recordings.
Bitdefender discovered this vulnerability in Ring Video Doorbell Pro devices in June this year and responsibly reported it to Amazon, but got no update from the company.
When requested for an update in late July, the vendor closed the vulnerability report in August and marked it as a duplicate without saying whether a third party already reported this issue.
However, after some communication with the vendor, an automatic fix for the vulnerability was partially issued on 5th September.
“However, to be on the safe side Ring Video Doorbell Pro users should make sure they have the latest update installed. If so, they’re safe.”
A similar security vulnerability was discovered and patched in the Ring Video Doorbell devices in early 2016 that was also exposing the owner’s WiFi network password to attackers.
To gain access to network credentials as they are transferred via an open network, the attacker needs to trick the user into believing their device is malfunctioning so that they rerun the initial authentication process that leaks the network details.
One way to do this is by sending deauthentication messages that appear to show the door is no longer connected to the internet. This leads the app to suggest that the device should be reconfigured. When the user goes through this process, the plain text credentials can be sniffed by the attacker with the aid of relatively simple open-source tools.
With these credentials, the attacker could use them to connect to the router themselves — and any other devices without password protection on the network. This could potentially allow the attacker to gain access to private documents, photos and other files on the network, as well as the ability to exploit further vulnerabilities to gain access to emails and other personal data.
There’s also scope for accessing other IoT devices on the network and interacting with them in ways that could breach the Ring user’s privacy — such as listening to or watching IP camera footage from within the home.
“The doorbell receives the Wi-Fi network password in plain text. Anyone who has access to the password in the proximity of the router can connect to the respective network and start probing for new devices, access network shares or even control equipment,” said Botezatu.
On discovering the vulnerability, Bitdefender contacted Amazon Ring and the company has since delivered a security update.
What’s the Solution?
Bitdefender notified Ring’s technical team about this vulnerability in June. As is standard in responsible disclosure, they gave Ring a deadline to fix the problem, after which they’d publish, fix or no.
As of this writing, Ring has pushed out a fix to all Ring Video Doorbell Pro devices.
A Ring spokesperson told us, “Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched.”
Now, when the Ring device broadcasts a Wi-Fi signal for your phone to grab, it uses an HTTPS connection.
Rather than require the user to authenticate using a password, it secures the connection using a digital certificate, signed by the company and validated by the app.
Why didn’t they do that in the first place? They probably thought, as we once did, that the risk of someone sniffing that connection at just the right moment is negligible.
We really, really hope that this news means Ring has fixed any problems that might exist in the Ring Video Doorbell 2 and the entire video doorbell product line.
However, Bitdefender’s team states very clearly that they only examined the Ring Video Doorbell Pro, and only verified that the problem is solved for that device.
The fact the Ring fixed this somewhat obscure hole so quickly gives us hope. After all, any company might offer a product that has a vulnerability.
A company’s response to such challenges makes all the difference.