User privacy threatened by Ring’s smart doorbell

A software vulnerability in Ring’s Wi-Fi-connected smart doorbell didn’t revoke user access once the password was changed, allowing anyone who had been logged in to continue using the camera features, Engadget writes.

The privacy issue was detected in January by a man from Miami who was spied on for months by his ex-partner, who had the app on his phone. Even though the password had been changed twice following their separation, the doorbell flaw still allowed video access and download by not immediately requesting users sign back in.

The security flaw was reported by The Information. Ring announced in January that the flaw was fixed. However, the device’s security is still in question because the password change doesn’t sync in real-time with the apps and could take even 24 hours, as confirmed by CEO Jamie Siminoff. Siminoff said updates would slow down the application if they were implemented immediately.

“Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security,” Ring said in a statement. “We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s “Shared Users” feature. This way, owners maintain control over who has access to their devices and can immediately remove users. Our team is taking additional steps to further improve the password change experience.”

Amazon bought Ring in February for $1 billion, as part of a plan to tap into the smart home market.