Security researchers at Bitdefender have discovered a high-severity
security vulnerability in Amazon's Ring Video Doorbell Pro devices that
could allow nearby attackers to steal your WiFi password and launch a
variety of cyberattacks using MitM against other devices connected to
the same network.
In case you don't own one of these,
Amazon's Ring Video Doorbell
is a smart wireless home security doorbell camera that lets you see,
hear and speak to anyone on your property from anywhere in the World.
The smart doorbell needs to be connected to your WiFi network, allowing
you to remotely access the device from a smartphone app to perform all
tasks wirelessly.
While setting up the device for the very first time and share your WiFi
password with it, you need to enable the configuration mode from the
doorbell.
Entering into the configuration mode turns on a built-in, unprotected
wireless access point, allowing the RING smartphone app installed on
your device to automatically connect to the doorbell.
However, researchers told The Hacker News that besides using an access
point with no password, the initial communication between the Ring app
and the doorbell, i.e., when you share your home's WiFi password with
the doorbell, is performed insecurely through plain HTTP.
Thus, a nearby attacker can simply connect to the same unprotected
wireless access point, while the setup in the process, and steal your
WiFi password using a man-in-the-middle attack.
Since this attack can only be performed during the "one-time initial
configuration" of the device, you might be wondering how an attacker can
leverage this loophole after the device has already been configured.
Researchers suggested that by continuously sending de-authentication
messages to the device, an attacker can trick the user into believing
that the device is malfunctioning, forcing him to re-configure it.
"Attackers can trigger the reconfiguration of the Ring Video Doorbell
Pro. One way to do this is to continuously send deauthentication
packets, so that the device is dropped from the wireless network. At
this point, the App loses connectivity and tells the user to reconfigure
the device," the researchers told The Hacker News.
"The live view button becomes greyed out and, when clicked, the app will
suggest restarting the router or pressing the setup button twice on the
doorbell. Pressing the button twice will trigger the device to try to
reconnect to the network – an action that will fail. The last resort is
to try and reconfigure the device," Bitdefender said in a blog post.
Once the owner enters into the configuration mode to re-share WiFi
credentials, the attacker sniffing the traffic would capture the
password in plaintext, as shown in the screenshot.
Once in possession of a user's WiFi password, an attacker can launch various network-based attacks, including:
- Interact with all devices within the household network;
- Intercept network traffic and run man-in-the-middle attacks
- Access all local storage (NAS, for example) and subsequently access private photos, videos and other types of information,
- Exploit all vulnerabilities existing in the devices connected to the
local network and get full access to each device; that may lead to
reading emails and private conversations,
- Get access to security cameras and steal video recordings.
Bitdefender discovered this vulnerability in Ring Video Doorbell Pro
devices in June this year and responsibly reported it to Amazon, but got
no update from the company.
When requested for an update in late July, the vendor closed the
vulnerability report in August and marked it as a duplicate without
saying whether a third party already reported this issue.
However, after some communication with the vendor, an automatic fix for the vulnerability was partially issued on 5th September.
"However, to be on the safe side Ring Video Doorbell Pro users should
make sure they have the latest update installed. If so, they're safe."
A
similar security vulnerability
was discovered and patched in the Ring Video Doorbell devices in early
2016 that was also exposing the owner's WiFi network password to
attackers.
