A serious flaw in the popular Ring smart doorbell could allow an attacker on a shared WiFi network to spy on families’ video and audio footage, according to researchers.
Ring Doorbell is a popular a home security device acquired by Amazon. Researchers with BullGuard discovered a way to launch a man-in-the-middle hack against the smart doorbell app, enabling arbitrary surveillance and even inject counterfeit video traffic.
“The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed,” Or Cyngiser, cyber security researcher with Dojo by BullGuard in a Wednesday post. “It would make for a particularly easy burglary. Spying on the doorbell allows for gathering of sensitive information – household habits, names and details about family members including children, all of which make the target an easy prey for future exploitation. Letting the babysitter in while kids are at home could be a potentially life threatening mistake.”
Ring has patched the vulnerability in version 3.4.7 of the Ring app – but has not notified users of the flaw in its patch notes, researchers said: ” Please make sure to upgrade to a newer version ASAP as the affected versions are still backward compatible and vulnerable,” they urged.
Amazon and Ring haven’t returned requests for comments.
Ring enables two-way communication between the smart doorbell and the users’ mobile apps, allowing users to confirm who is ringing from anywhere via the internet. Ring owners can also remotely open the door via Alexa if a supported smart lock is installed.
However, BullGuard researchers found that audio and video footage sent from the doorbell to the app was transmitted in plaintext – meaning that an attacker could extract that data.
“The data seems sensible, and therefore we might be able to extract it,” they said. “Using our handy videosnarf [VoIP Sniffer and security tool] utility, we get a viewable MPEG file. This means anyone with access to incoming packets can see the feed! Similarly, we can also extract the audio G711 encoded stream.”
An attacker would need to be on a shared WiFi network, researchers said.
“Accessing application traffic is not a difficult task – if the user is at home, we just need Wifi access – either cracking weak encryption if present, or exploiting another home device,” researchers said. “When the user is in transit, one can open a rogue Wifi near him and wait for him to join, or join a common public network.”
Once sharing a network, a simple ARP spoof will allow us to capture Ring data traffic before passing it on to the app. Address Resolution Protocol (ARP) spoofing is when a malicious actor sends falsified ARP messages over a local area network – resulting in their MAC address being linked to the IP address of a legitimate server on the network.
“The main takeaway from this research is that security is only as strong as its weakest link,” said Cyngiser. “When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.”