Amazon’s Ring Video Doorbell Pro has been exposing the Wi-Fi network credentials of houses in which they were installed, found Bitdefender researchers. The company subsequently patched the flaw.
The electronic doorbell was sending the Wi-Fi passwords in cleartext as it joins the local network, said the Bitdefender research report. This helps hackers in the vicinity gain entry to the network to steal personal data of the users or snoop on those living in the house.
The smart doorbells manufactured by Ring, the company that Amazon bought in 2018, allow users to monitor their doorstep remotely using a smartphone app. Neighbors by Ring, an accompanying app, allows other Ring owners view the videos uploaded by the device’s owners.
The smartphone app must send wireless network credentials while configuring the device. This transfer of network credentials happen in an insecure manner, via an unprotected access point, said the Bitdefender report.
"When entering configuration mode, the device creates an access point without a password (the SSID contains the last three bytes from the MAC address). Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network. All these exchanges are performed through plain HTTP. This means the credentials are exposed to any nearby eavesdroppers," said the report.
To start exploiting this vulnerability, an attacker would have to make the existing connection fail.
"The attacker must trick the user into believing that the device is malfunctioning so the user reconfigures it. One way to do this is to continuously send deauthentication messages, so that the device is dropped from the wireless network," said the report.
"Deauthentication is the process that allows a third party to mount the attack. It must be performed until the owner notices the device misbehaving. This might take a while, because the doorbell will still ring the chime when the button is pressed. The only difference is that it will not send a notification and cannot be reached by the remote servers. After a while, the app will show the device as offline."
The user will then try reconfiguring the device, while the attacker keeps sniffing all the packets, waiting for the plaintext credentials to be sent to the device.
Ring has subsequently issued a fix to all of its Video Doorbell Pro devices. However, the issue is not just of one particular IoT device of one particular company, commented Stuart Sharp, VP of solution engineering at OneLogin.
"This latest IoT vulnerability highlights the urgent need for a new set of security standards and protocols that deal with the rapid emergence of connected devices. Governments need to establish guidance and manufacturers need to be held responsible for following best practices when designing connected devices. Standards won’t eliminate all vulnerabilities, but they could bring order to what is right now the wild west of IoT," he said.