Vulnerability in Amazon’s Ring doorbell

[German]IoT security experts from BullGuard and Dojo have uncovered a previously unknown vulnerability in the networked video doorbell of the Amazon subsidiary Ring: audio and/or video material was transmitted unencrypted to the ring app and was therefore vulnerable to external attacks. The vulnerability has now been fixed.


Some background about the vulnerability in Ring's doorbell

The network supported video doorbell was launched by Ring, an Amazon subsidiary. It consists of an intelligent doorbell with a built-in security camera that transmits its image to a mobile app. For example, if the user is not at home, he can see who is ringing and open the door for the visitor – if a Smart Lock system is installed. 

The IoT security experts around Yossi Atias discovered that audio and/or video material was transmitted unencrypted to the ring app. The vulnerability existed between the cloud service and the mobile ring app. The lack of encryption would have allowed hackers or thieves to send false images to the app to gain access to the house or apartment. On the other hand, the vulnerability could have been exploited to arbitrarily monitor the environment.

The IoT security team from Dojo and BullGuard succeeded in hacking the video feed so that the user believed that a known person was standing in front of the door and could open the door in good faith.

Challenge: Security in IoT devices

"Ring is a respected brand, but the vulnerability we've uncovered in the video doorbell shows how vulnerable IoT devices are to attack," explains Atias. "This particular vulnerability is complex because it is located between the cloud and mobile ring app and comes into play when the owner of the video doorbell is not at home. To make matters worse, the average user would not notice the tampering – with far-reaching consequences if the door is opened for a seemingly known person."

In addition, the security camera enables the spying and collection of personal information: Household habits from times when residents are at home or not to the names and details of family members. Hackers can use this data for further attacks. "The security of devices is only as strong as their weakest point," adds Yossi Atias. "When processing sensitive data like a video doorbell, secure transmission is not just one of many functions, but a must.


Technical details about the hack

The team around Yossi Atias was able to access the data traffic of the smart door system without any problems: If the user was at home, it was only necessary to gain access to the same WLAN network – either by cracking a weak network encryption or via an unprotected smart home device. When the user was on the move, a Wi-Fi connection had to be opened near him as a "trap" and waited until he connected to it or joined a shared public network. Once the hacker was on the same network as the user, he could use a simple ARP-Spoof to capture Ring's traffic before forwarding it to the mobile app. In addition, certain 3G/4G configurations also allowed malicious changes or attacks within the network. The encryption of upstream Real-Time Transport Protocol (RTP) traffic did not complicate forgery if the downstream traffic was not secure, and the encryption of downstream Session Initiation Protocol (SIP) traffic would not interfere with the interception of the stream.

The vulnerability in Ring's networked video doorbell was discovered during routine ethical hacking. Dojo and BullGuard experts are testing various IoT devices to continuously improve the Dojo Intelligent IoT Platform (DIP)'s ability to defend against potential cyber attacks. Amazon has already released a new version of the ring app that fixes this vulnerability and now protects the device from this type of attack. Comprehensive information about the hack and the security hole in Ring's video doorbell can be found on the Dojo blog.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *