Ring video doorbell users urged to update firmware after vulnerability discovered
Ring customers are being urged to ensure they update the software of their video doorbell to the latest version, after researchers discovered a security flaw.
Live video and audio feed, sent from the doorbell's camera and microphone to the user's smartphone, could be intercepted. A potential hacker could view the footage, but also replace this feed with their own video.
Read More:
- 12 Internet of Things hacks, and how to secure your smart home in 2019
- Three-quarters of consumers worry about internet hacking
Potentially a hacker or burglar could ring the bell, then hijack the live video feed and send alternative footage to the target's smartphone — perhaps of a fake Amazon delivery driver, encouraging them to open the door either in person or remotely through a smart lock. Due to a lack of robust encryption, anyone with access to the Wi-Fi network used by the doorbell could see its live video feed.
The flaw, which was recently patched by Amazon-owned Ring with the latest software update, was discovered by security researchers at Dojo by BullGuard, which specializes in the cybersecurity of Internet of Things devices. Ring owners need to update the software to make sure the patch gets to their devices.
"Accessing application traffic [video and audio from the doorbell] is not a difficult task," Dojo explained, adding: "If the user is at home, we just need Wi-Fi access - either cracking weak encryption if present, or exploiting another home device."
Dojo also notes how, in a highly targeted attack (on a high-profile person, for example), hackers could dupe them into connecting to a bogus public Wi-Fi hotspot while away from home, then use this connection to spy on the doorbell video feed. The hack was demonstrated at Mobile World Congress this week, but using hardware lacking Ring's latest software update.
The researchers add: "Spying on the doorbell allows for gathering of sensitive information - household habits, names and details about family members including children, all of which makes the target an easy prey for future exploitation. Letting the babysitter in while kids are at home could be a potentially life threatening mistake."
This may seem like an unlikely scenario in most cases, with more steps than an opportunistic thief will likely be willing to work through. However, it shines a light — yet again — on how the Internet of Things (and smart home devices like video doorbells) are often only as protected as the least secure part of the chain.
What this means is that, all it takes is an insecure device to be connected to your Wi-Fi network, which could then be used to access the network, and other devices on it. This in turn gives hackers access to other devices like a Ring doorbell — and if that also has weak encryption, as was the case before the recent software patch, it too can be exploited.
Dojo notes: "The main takeaway from this research is that security is only as strong as its weakest link."
This is not the first time Ring's security has been compromised. In 2018, it was found that users remained logged into the Ring app — and could therefore continue to view the camera's live footage — despite the app's password being changed.