In case you don't own one of these, Amazon's Ring Video Doorbell is a smart wireless home security doorbell camera that lets you see, hear and speak to anyone on your property from anywhere in the World.
The smart doorbell needs to be connected to your WiFi network, allowing you to remotely access the device from a smartphone app to perform all tasks wirelessly.
While setting up the device for the very first time and share your WiFi password with it, you need to enable the configuration mode from the doorbell.
Entering into the configuration mode turns on a built-in, unprotected wireless access point, allowing the RING smartphone app installed on your device to automatically connect to the doorbell.
However, researchers told The Hacker News that besides using an access point with no password, the initial communication between the Ring app and the doorbell, i.e., when you share your home's WiFi password with the doorbell, is performed insecurely through plain HTTP.
Thus, a nearby attacker can simply connect to the same unprotected wireless access point, while the setup in the process, and steal your WiFi password using a man-in-the-middle attack.
Since this attack can only be performed during the "one-time initial configuration" of the device, you might be wondering how an attacker can leverage this loophole after the device has already been configured.
Researchers suggested that by continuously sending de-authentication messages to the device, an attacker can trick the user into believing that the device is malfunctioning, forcing him to re-configure it.
"Attackers can trigger the reconfiguration of the Ring Video Doorbell Pro. One way to do this is to continuously send deauthentication packets, so that the device is dropped from the wireless network. At this point, the App loses connectivity and tells the user to reconfigure the device," the researchers told The Hacker News.
"The live view button becomes greyed out and, when clicked, the app will suggest restarting the router or pressing the setup button twice on the doorbell. Pressing the button twice will trigger the device to try to reconnect to the network – an action that will fail. The last resort is to try and reconfigure the device," Bitdefender said in a blog post.
Once the owner enters into the configuration mode to re-share WiFi credentials, the attacker sniffing the traffic would capture the password in plaintext, as shown in the screenshot.
Once in possession of a user's WiFi password, an attacker can launch various network-based attacks, including:
- Interact with all devices within the household network;
- Intercept network traffic and run man-in-the-middle attacks
- Access all local storage (NAS, for example) and subsequently access private photos, videos and other types of information,
- Exploit all vulnerabilities existing in the devices connected to the local network and get full access to each device; that may lead to reading emails and private conversations,
- Get access to security cameras and steal video recordings.
Bitdefender discovered this vulnerability in Ring Video Doorbell Pro devices in June this year and responsibly reported it to Amazon, but got no update from the company.
When requested for an update in late July, the vendor closed the vulnerability report in August and marked it as a duplicate without saying whether a third party already reported this issue.
However, after some communication with the vendor, an automatic fix for the vulnerability was partially issued on 5th September.
"However, to be on the safe side Ring Video Doorbell Pro users should make sure they have the latest update installed. If so, they're safe."
"Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it's since been patched," a spokesperson for the Ring told The Hacker News.
A similar security vulnerability was discovered and patched in the Ring Video Doorbell devices in early 2016 that was also exposing the owner's WiFi network password to attackers.