1 min read

Bitdefender Finds Ring Doorbell Vulnerability that Exposes User's Wi-Fi Password

Silviu STAHIE

November 08, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Bitdefender Finds Ring Doorbell Vulnerability that Exposes User's Wi-Fi Password

Asked by PCMaG to examine a few IoT devices, including Amazon’s Ring Video Doorbell Pro, Bitdefender found a vulnerability that would let attackers intercept the Wi-Fi passwords of anyone using the device.

Amazon’s Ring Video Doorbell Pro is a great product, but like all devices in the IoT ecosystem, it’s always exposed to malicious actors. The vulnerability discovered by Bitdefender lets an attacker intercept the communication between the doorbell and the owner.

Access to an internal network of a user is much more serious than the simple access to the doorbell. Once inside the network, it would be much easier to access various other devices, including smart assistants, NAS servers, and even computers with weak credentials.

People tend to have strong security on the perimeter, with complicated passwords for the Wi-Fi, for example. But how many users change the default user names and passwords of the router?

The attacker could force the Ring doorbell to deauthenticate by using an existing provision in the IEEE 802.11 (Wi-Fi) protocol. The doorbell normally accepts such deauthentication requests only from a specific MAC address, but the MAC address can be sniffed out with special tools and replicated.

When the legitimate owner of the doorbell notices that his device no longer connects to the network, he starts the setup process all over again. And this is where the problem lies. The Ring doorbell and the user communicate over HTTP, exposing the Wi-Fi password.

Amazon was quick to fix the vulnerability, and communication for the Ring setup is now encrypted. Fortunately, the user name and password of the Ring app are communicated via an API, which means that it isn’t sent over unsecured channels.

For more technical details and a proof of concept, you can check out our whitepaper. Amazon triggered an automatic update, and Ring doorbells and attackers can’t exploit them in this manner.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read
Mozilla Says Many Health and Prayer Apps Are Pose Security Risks Mozilla Says Many Health and Prayer Apps Are Pose Security Risks
Silviu STAHIE

May 09, 2022

2 min read
$5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees $5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees
Silviu STAHIE

May 05, 2022

1 min read