Amazon Ring Doorbells Exposed Home Wi-Fi Passwords To Hackers (techcrunch.com) 25
An anonymous reader quotes a report from TechCrunch: Security researchers have discovered a vulnerability in Ring doorbells that exposed the passwords for the Wi-Fi networks to which they were connected. Bitdefender said the Amazon-owned doorbell was sending owners' Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network to launch larger attacks or conduct surveillance.
"When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point," said Bitdefender. "Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network." But all of this is carried out over an unencrypted connection, exposing the Wi-Fi password that is sent over the air. Amazon fixed the vulnerability in all Ring devices in September, but the vulnerability was only disclosed today.
"When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point," said Bitdefender. "Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network." But all of this is carried out over an unencrypted connection, exposing the Wi-Fi password that is sent over the air. Amazon fixed the vulnerability in all Ring devices in September, but the vulnerability was only disclosed today.
Probably a common hole. (Score:2, Insightful)
Re: (Score:2)
I might be worried if you were setting one of these up in a multi-tenant building where someone could have a persistent snooper set up.
Still.... how paranoid do you want to be?
If you only give it the wifi password for your guest/iot network, then nothing terribly secret has been leaked.
Re: (Score:2)
I might be worried if you were setting one of these up in a multi-tenant building where someone could have a persistent snooper set up.
Still.... how paranoid do you want to be?
Maybe the wording in TFS and TFA is bad, but I read it as it is exposing the the credentials anytime it connects to the network. That's significantly more worrying than if it was just during the initial setup where someone would need to be watching at just the right time.
If you only give it the wifi password for your guest/iot network, then nothing terribly secret has been leaked.
Probably would have been a reasonable assumption when these things first started appearing, but now they are being installed by average people that don't bother changing their router passwords. In 4 blocks worth of townhouses surrounding my
Re: (Score:2)
Maybe the wording in TFS and TFA is bad, but I read it as it is exposing the the credentials anytime it connects to the network.
That's what I gathered, as well.
Re: (Score:2)
If you have an old-style doorbell button that you replaced with the Ring version then is powered and on the network all the time. It's only the battery powered ones that connect and disconnect to save energy.
Just reread the TechCrunch article, and it looks as if the issue is that the connection between the phone app and the doorbell when it's first set up. Once the doorbell has received the password it logs onto the WiFi network in the normal secure manner. So it's just a momentary blip in the traffic be
Re: (Score:2)
Re: Probably a common hole. (Score:3)
I beg to differ with personal experience. If you live in a rural area or suburbs, the chances are low. High density areas or apartments are another matter.
Re: (Score:3)
If you live in a rural area or suburbs, the chances are low.
The danger isn't that Old Man Chickenfucker next door is an "evil hacker," the danger is that when he tried to download his chicken pr0n he ran an exe and installed a botnet client that is now going to try to spy on his neighbors. Now they're in your wifi.
This ain't a bug (Score:5, Insightful)
This is not a bug, it's a stupid _design_ decision that shows how much fucks are given: exactly zero. Remember, in IoT, "S" stands for "Security".
How is a WiFi router accepting plain text password (Score:2)
Even WEP used a nonce challenge that was encrypted.
Not great, allowed offline dictionary attacks, but much better than plain password.
(They should be using Secure Remote Password, but not even WPA2 does that.)
And we should not be sending passwords clear text to web sites even if using TLS which relies on the end user validating URLs.
Re: (Score:2)
Remember, in IoT, "S" stands for "Security".
I don't mind paying an extra $20 for a "dumb" TV, but what irks me about modern consumer electronics is that I had to take the thing apart and DIY a headphone jack onto it.
Re: (Score:2)
They probably used an off-the-shelf HTTP/S package that didn't allow them to use regular PKI with cheap manufacturing so rather than spend the effort to write a secure networking class they used cleartext HTTP.
This is perfectly reasonable for a quick prototype, and "prototypes put into production" are the bane of all IT, not just security.
So what we really learn here is that Ring has serious problems with their development methodology, including either audits or commitment to privacy and security.
I'm glad I
Security is a process, not a product (Score:2)
What... no dedicated “untrustworthy” S (Score:2)
Segment things you don’t trust into segregated SSIDs and VLANs, and firewall/log the living shit out of it. What, your router/AP can’t do that? Time to replace and hire someone if you can’t set it up securely yourself.
I have more problems with the defective Pro design (Score:2)
My bigger problem is the defective design of the Ring Pro doorbell. It has an internal battery that cannot be replaced by the average user. Once it stops holding a charge as all lithium batteries will do eventu
Re: (Score:2)
"some kind of QR code you scan to connect with that random password."
The new hardware apparently does that.
Use wired connections more (Score:2)
The problem of how to transfer credentials onto a device during initial setup is always thorny. There's always a hole somewhere. Ultimately, the best solution to this is a wired connection. If you plugged the doorbell into a PC via USB and gave it the credentials that way then there would be no concern. But the drive to make everything configurable wirelessly via a phone opens up security holes. Similar problems exist with wireless payments, RFID passports, or wireless pin pads.
Wire it in (Score:1)
Same great security and amazing video clips.
To share with the internet and police. Criminals going house to house doing crime.
Network in that camera and share the resulting video of criminals.
Show the world who is doing lots of crime in your once good and safe part of the USA.
Re: (Score:2)
Show the world who is doing lots of crime in your once good and safe part of the USA.
I'll give you a hint; they shuffle slowly, picking at open wounds, and yet somehow, they're not quite finished changing into zombies yet.
Zero Security (Score:2)
So a bunch of Zero Security devices connect to a Zero Security network that exists solely for the purpose of the mutual masterbation of the Zero Security devices, using Zero Security and this causes surprise? Quite frankly it would be what I would expect and I would be astonished if there were anything different.
Another IoT screw up (Score:2)
Yet each and every day, more and more devices want us to connect them to the Internet... ... Those who buy this stuff without thinking about the consequences.
Security is usually an afterthought.
Iot == Idiots or Twits
Call me a luddite but none of this crap will ever be connected up in my home. If it stops working because I've not connected it then I'll get my money back. Why should my toaster want to talk to some server in China? There reall is no need for this whatsoever.
Another bandwagon. Another answer wa
Re: (Score:2)
Oh! A T-120? Loved my '69 Trophy, but I sold it for a ticket to Peru where I met the love of my life. The price was worth it.
We have a cottage over an hour away, the IoT stuff helps us make sure that it's still secure, a fallen limb hasn't taken out the skylight and let the rain in, and the heat hasn't failed and let the pipes freeze. I agree that most of it is overkill, but there are valid uses for them.
Re: (Score:2)