If you’ve ever expressed concern about the security implications of Amazon Ring connected doorbells; if you’ve ever voiced privacy concerns about letting Amazon have such a portal into your life… your fears have been justified.
It has just been revealed that a security flaw in the camera-toting devices made it possible for hackers to access customers’ Wi-Fi usernames and passwords. With these credentials, it would then be possible to launch a wider privacy-invading attack on households, accessing all manner of data and devices on home networks.
The issue was unearthed by security firm Bitdefender which found that Amazon’s Ring Video Doorbell Pro is vulnerable when in configuration mode. The company explains that network settings are sent to the device from a mobile app via plain, unencrypted HTTP. Wi-Fi credentials that are transferred in this way are open to interception by nearby eavesdroppers and hackers.
Bitdefender says: “Another important step in exploitation is the fact that a hostile actor can trigger the reconfiguration of the Ring Video Doorbell Pro. One way to do this is to continuously send deauthentication messages, so that the device gets dropped from the wireless network. At this point, the mobile app loses connectivity and instructs the user to reconfigure the device”.
Evan Greer, deputy director of privacy-focused Fight for the Future, is both unimpressed and unsurprised:
This is a classic example of how more surveillance does not mean more safety. Amazon has consistently shown reckless disregard for privacy and civil liberties, but this is terrifying on a whole other level. Putting insecure cameras and listening devices around your home puts your family in danger. Congress should immediately investigate the threat posed by Amazon’s rapidly spreading, for-profit surveillance dragnet.
The good news is that a security update has already been pushed out to the affected devices, but it is not known how many users may have fallen victim to this form of attack.