Smart Doorbell Rings Back to China

Users of Video Doorbell Pro from Ring have reported some unusual behavior by the device, as it sent data with regularity to an IP address in China. Customers took to Reddit to debate the issue, and any privacy and security implications.

According to Matthew Lehman, Vice President of Information Security at Ring, the product’s approach to loss of connectivity was to send the last packets of the communication “to a non-routable address on a protocol no one uses,” as an alternative to dropping the entire call.

Two customers confirmed the packets were sent using UDP (User Datagram Protocol), which allows easy spoofing of the IP address and alteration of the message; also, the destination was a routable IP in China belonging to Baidu, the web services giant. Because of this, users expressed fear on Reddit that the security of the device may have been compromised and that data captured by the doorbell could be analyzed by an outsider, or worse, the gadget could represent a way into the home network.

Examination of the packets sent to China revealed they were short pieces of audio data, 160 bytes containing 20ms of sound; too short to invade privacy, even if someone were listening at the other end.

It is worth noting that Ring did the right thing and took action as soon as they heard about their customers’ worries. Apart from the voice of its Information Security VP, the company’s CTO Joshua Roth also addressed Reddit users to ease their concerns.

Roth said the problem flagged by customers was not a vulnerability because any packet getting back to the doorbell would have been discarded and the socket would shut down when the data was sent. More than this, the device has automatic updates and a new firmware was rolled out to customers, confirmed by some of them.