The Ring Doorbell has had a new vulnerability exposed that lies between the cloud service and the mobile applications. Researchers that discovered this vulnerability were able to manipulate the Ring Doorbell to display an old recording of someone who they had previously talked to and let into their house, rather than the person who was actually standing behind the doorbell. The researchers were able to gain access to the application traffic by cracking weak encryption or exploiting another IoT device if the application user is home. If the user is not home, the attacker would be able to open a rogue wi-fi connection and wait for the victim to connect. Once the victim connects, the attacker would be able to capture data traffic. This vulnerability allows the attacker to have unauthorized access to potentially sensitive information that would be shared with the Ring Doorbell application if they decide to listen to the communication. This vulnerability could also allow the attacker to trick the user into letting an unknown person into their house which could cause them to lose physical property.
Analyst Notes
Amazon has released a new version of the Ring Doorbell software which has fixed this vulnerability. User should always make sure that all the devices on their home wi-fi are locked down and don’t use the default logins. Likewise, when a user is out in public, they should not join open wi-fi networks that randomly appear. Only trusted networks should be joined in order to prevent attackers from being able to steal information.
