Bitdefender Finds Ring Doorbell Vulnerability that Exposes User’s Wi-Fi Password

Asked by PCMaG to examine a few IoT devices, including Amazon’s Ring Video Doorbell Pro, Bitdefender found a vulnerability that would let attackers intercept the Wi-Fi passwords of anyone using the device.

Amazon’s Ring Video Doorbell Pro is a great product, but like all devices in the IoT ecosystem, it’s always exposed to malicious actors. The vulnerability discovered by Bitdefender lets an attacker intercept the communication between the doorbell and the owner.

Access to an internal network of a user is much more serious than the simple access to the doorbell. Once inside the network, it would be much easier to access various other devices, including smart assistants, NAS servers, and even computers with weak credentials.

People tend to have strong security on the perimeter, with complicated passwords for the Wi-Fi, for example. But how many users change the default user names and passwords of the router?

The attacker could force the Ring doorbell to deauthenticate by using an existing provision in the IEEE 802.11 (Wi-Fi) protocol. The doorbell normally accepts such deauthentication requests only from a specific MAC address, but the MAC address can be sniffed out with special tools and replicated.

When the legitimate owner of the doorbell notices that his device no longer connects to the network, he starts the setup process all over again. And this is where the problem lies. The Ring doorbell and the user communicate over HTTP, exposing the Wi-Fi password.

Amazon was quick to fix the vulnerability, and communication for the Ring setup is now encrypted. Fortunately, the user name and password of the Ring app are communicated via an API, which means that it isn’t sent over unsecured channels.

For more technical details and a proof of concept, you can check out our whitepaper. Amazon triggered an automatic update, and Ring doorbells and attackers can’t exploit them in this manner.

Add Comment

Your email address will not be published. Required fields are marked *