Another day and another security flaw exposed… this time, Bitdefender and Amazon have disclosed a since-patched bug in which Ring Video Doorbell Pro setups were sending user Wi-Fi passwords through unsecured HTTP requests.
UPDATE (07/11/2019): A Ring spokesperson reached out to Techaeris with the following statement concerning this story: “Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched.”
The security flaw was first discovered in June. Bitdefender alerted Amazon and after some back and forth, finally confirmed that a fix was “being partially deployed” in September. And here we are two months later with both companies releasing the disclosure of said flaw.
As for the bug itself, the setup configuration for Amazon’s Ring Video Doorbell Pro sent the user’s network information through the app via a non-HTTPS connection. In plain English, what this means is that if a hacker was so inclined and sitting nearby, they could intercept said data and then gain access to your Wi-Fi network. While this seems unlikely, the issue was further compounded by the fact that a remote reconfiguration of the doorbell could be triggered at will. At that point, the hacker could listen in during the reconfiguration of the device to gain those credentials.
“When entering configuration mode, the device receives the user’s network credentials from the smartphone app. Data exchange is performed through plain HTTP, which means that the credentials are exposed to any nearby eavesdroppers.
“Another important step in exploitation is thew fact that a hostile actor can trigger the reconfiguration of the Ring Video Doorbell Pro. One way to do this is to continuously send deauthentication messages, so that the device gets dropped from the wireless network. At this point, the mobile app loses connectivity and instructs the user to reconfigure the device.”Bitdefender
If you’re so inclined, you can read the full White Paper on the Bitdefender website.
According to Bitdefender, all Ring Doorbell Pro cameras have received the security patch that fixes this flaw. That being said, in this day and age, it’s absurd that companies are rolling out products that still use unsecured HTTP protocols for transmitting sensitive data.
Given the nature of the exploit, there is no real easy way to tell if you were affected or not. While it’s unlikely you were affected, if you do have a Ring Video Doorbell Pro, you likely want to check what devices have accessed your network as well as change your Wi-Fi password. If you have found yourself having to reconfigure your device seemingly randomly recently, the chance is higher that you were affected and you’ll definitely want to change your password immediately.Source: Bitdefender