Bitdefender Finds Ring Doorbell Vulnerability that Exposes User's Wi-Fi Password

Asked by PCMaG to examine a few IoT devices, including Amazon’s Ring Video Doorbell Pro, Bitdefender found a vulnerability that would let attackers intercept the Wi-Fi passwords of anyone using the device.
Amazon’s Ring Video Doorbell Pro is a great product, but like all devices in the IoT ecosystem, it’s always exposed to malicious actors. The vulnerability discovered by Bitdefender lets an attacker intercept the communication between the doorbell and the owner.
Access to an internal network of a user is much more serious than the simple access to the doorbell. Once inside the network, it would be much easier to access various other devices, including smart assistants, NAS servers, and even computers with weak credentials.
People tend to have strong security on the perimeter, with complicated passwords for the Wi-Fi, for example. But how many users change the default user names and passwords of the router?
The attacker could force the Ring doorbell to deauthenticate by using an existing provision in the IEEE 802.11 (Wi-Fi) protocol. The doorbell normally accepts such deauthentication requests only from a specific MAC address, but the MAC address can be sniffed out with special tools and replicated.
When the legitimate owner of the doorbell notices that his device no longer connects to the network, he starts the setup process all over again. And this is where the problem lies. The Ring doorbell and the user communicate over HTTP, exposing the Wi-Fi password.
Amazon was quick to fix the vulnerability, and communication for the Ring setup is now encrypted. Fortunately, the user name and password of the Ring app are communicated via an API, which means that it isn’t sent over unsecured channels.
For more technical details and a proof of concept, you can check out our whitepaper. Amazon triggered an automatic update, and Ring doorbells and attackers can’t exploit them in this manner.
tags
Author
Right now
Top posts
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022
Why and how to hide your IP address while traveling
April 13, 2022
How Bitdefender Can Help Restore Your Privacy in the Digital Age
April 04, 2022
How Strong is VPN Encryption?
February 28, 2022
Top Three Ways Internet Users Unknowingly Help Cybercriminals
February 25, 2022