Great, there’s a security flaw in Ring’s Video Doorbell that could let hackers steal your WiFi password
Just going to start handing out all my passwords to everyone I meet, screw it.
The exploit could let nearby attackers swipe your WiFi login, which would give them almost full reign on your home network. Yikes.
Researchers at Bitdefender have found that Amazon’s Ring Video Doorbell can leak your WiFi password
The vulnerability was found in the initial setup, which seems to have been designed for ease of user setup instead of being security by design. See, when you turn on the doorbell, it creates an unprotected wireless access point to let your smartphone connect to it. That then lets you set up your WiFi details on the doorbell. The real issue with this is that your WiFi password is sent via the insecure HTTP protocol, instead of an encrypted one.
That means an attacker can connect to your doorbell at this stage, and swipe your WiFi details. But wait – if this is only possible during initial setup, doesn’t that limit the attack? Sure, but there’s a way to make the user think their doorbell is having issues, forcing them to redo the configuration steps. Bingo, one WiFi password transmitted in the clear, one compromised home network.
It shouldn’t really need saying that if someone has your WiFi password, they can do almost everything on your home network. That includes things like:
- Interacting with all your devices
- Reading all your network traffic and run man-in-the-middle attacks to get your passwords to other services
- Read all your network-attached storage
- Hack your other devices with known exploits – this could lead to them reading your emails, etc
- Watch your security camera feeds and steal footage
A Ring spokesperson tells KnowTechie in an email:
Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched.
If you own a Ring Video Doorbell, go make sure you’ve updated to the latest version – an automatic security update was pushed out in September that fixes this issue.
- Fitbit reassures everyone that Google won’t sell their data – Users say otherwise
- Photoshop for iPad sounds like a complete mess – here’s what folks are saying about it
- Kids in China can no longer play video games past their bedtimes
- AT&T needs to refund customers $60 million for lying about “unlimited data”