Security researchers have identified a flaw in smart doorbells made by Amazon-owned Ring that could let hackers splice fake footage into your video feed, as well as potentially listen in on live audio and video broadcasts.
The vulnerability was discovered by Dojo, the network security division of cyber security firm BullGuard, and presented this week at the annual Mobile World Congress conference.
Ring has since patched the flaw in the app’s latest software update, version 3.4.7.
A flaw in smart doorbells made by Amazon-owned Ring could let hackers splice fake footage into your video feed, as well as potentially listen in on live audio and video broadcasts
‘Customer trust is important to us and we take the security of our devices seriously,’ a Ring spokesperson told Dailymail.com.
‘The issue in the Ring app was previously fixed and we always encourage customers to update their apps and phone operating systems to the latest versions.’
If users haven’t updated to the latest software version, their doorbell could still be affected by the flaw.
In a blog post, Dojo security researcher Or Cyngiser laid out how the firm was able to carry out the attack.
Ring doorbells have built-in two-way communication which allows the smart doorbell and the mobile app to send data back and forth.
Dojo researchers found that audio and video are transmitted via data packets in plain text.
‘This means anyone with access to incoming packets can see the feed,’ the Cyngiser explained.
Then, the attacker either joins the device owner’s WiFi network, or creates a rogue WiFi network and waits for the device owner to join.
‘…Once sharing a network, a simple ARP spoof will allow us to capture Ring data traffic before passing it on to the app.’
Not only were the researchers able to snoop on footage, they were able to inject their own onto the device’s video feed.
‘We developed a [proof of concept], whereby we first captured real footage in a so-called “recon mode,”‘ Cyngiser said.
‘Then, in “active mode,” we can drop genuine traffic and inject the acquired footage.
‘This hack works smoothly and is undetectable from within the app,’ he added.
The attack makes a range of dangerous scenarios possible, like convincing homeowners that someone is at their front door, leaving them vulnerable to burglaries.
Ring has patched the flaw in the app’s latest software update, version 3.4.7. However, if users haven’t updated to the latest software version, their doorbell could still be affected by the flaw
What’s more, particularly dedicated attackers could learn sensitive information about a certain household, including their daily habits, names and details about family members, including children, Cyngiser said.
Ring doorbells have faced security issues in the past.
In January, a report from The Intercept found that Ring allowed its employees to watch live footage from customers’ cameras.
Ring engineers and executives were reportedly given access to ‘unfiltered, round-the-clock’ feeds of some users’ footage.
The unencrypted videos were shared between employees on company servers and included footage from outside and, in some cases, inside users’ homes.
Ring denied the findings in a statement to Dailymail.com.
‘We take the privacy and security of our customers’ personal information extremely seriously,’ the spokesperson said.
‘In order to improve our service, we view and annotate certain Ring video recordings.
‘These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.
‘Ring employees do not have access to livestreams from Ring products,’ they added.
Amazon acquired Ring for $1 billion last February and, since then, it has put in place heightened security measures to prevent employees from accessing sensitive customer data.
WHAT IS RING AND WHY DID AMAZON BUY IT?
Amazon acquired home security startup Ring for a reported £700 million ($1 billion).
The home security startup sells doorbells that capture video and audio.
Clips can be streamed on smartphones and other devices, while the doorbell even allows homeowners to remotely chat to those standing at their door.
Ring sells doorbells (left) that capture video and audio. Clips can be streamed on smartphones and other devices, while the doorbell even allows homeowners to remotely chat to those standing at their door
Ring promotes its gadgets as a way to catch package thieves, a nuisance that Amazon has been looking to remedy.
Amazon late last year unveiled its own smart lock and camera combination called Amazon Key in a move into home security.
Key is designed to provide a secure and trackable way for packages to be delivered inside homes when people aren’t there.
Amazon has bought home security startup Ring for a reported £700 million ($1 billion)
Ring’s doorbell could work well with Amazon Key, which lets delivery personnel put packages inside a home to avoid theft or, in the case of fresh food, spoiling.
California-based Ring first caught the spotlight with a failed quest for funding about five years ago on reality television show Shark Tank.
Ring went on to win backing from the likes of billionaire Richard Branson and Amazon’s Alexa Fund.
