Threat Watch

Ring Camera Application Vulnerability Fixed by Amazon

The application security testing company Checkmarx discovered a high severity vulnerability in the Amazon Ring app for Android. After discovery, Checkmarx disclosed the vulnerability to Amazon on May 1st, 2022. Amazon fixed the bug relatively quickly. If left unfixed, it could have potentially given attackers the ability to access and obtain saved Ring camera records. With access to these records, attackers could be capable of extortion and data theft. Activity was left exposed within the app and it could be launched on other apps that were on the Android device. “This activity would accept, load, and execute web content from any server, as long as the Intent’s destination URI contained the string “/better-neighborhoods/”, read a portion of the report from Checkmarx.

ANALYST NOTES

Amazon was quick to patch the vulnerability when it was reported to them. While apps are often set to auto-update, in this case it is important to check to make sure devices are running the latest version of Amazon Ring. While security cameras are an important physical security control, they may also introduce additional risks. If a camera’s records are not secured, for example, it is important to keep sensitive information that may be on paper or viewable on a computer screen out of a camera’s line of sight. This is most likely not the last time a vulnerability of this nature emerges, so taking steps to avoid exposure is essential.

https://www.bleepingcomputer.com/news/security/amazon-fixes-ring-android-app-flaw-exposing-camera-recordings/