Ring has pushed out a fix to a security issue in the configuration code for its Internet-connected home security products. Researchers from Bitdefender notified Ring in June of a flaw in Ring Video Doorbell Pro cameras’ software that made it possible for wireless eavesdroppers to grab the Wi-Fi credentials of customers during the device’s setup—because those credentials were sent over an unsecured Wi-Fi connection to the device using unencrypted HTTP.
In a report on the bug issued yesterday as part of a coordinated disclosure with Ring, Bitdefender researchers explained that when customers configured a Ring Video Doorbell Pro out of the box:
…the smartphone app [for Ring] must send the wireless network credentials. When entering configuration mode, the device creates an access point without a password (the SSID contains the last three bytes from the MAC address). Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network. All these exchanges are performed through plain HTTP. This means the credentials are exposed to any nearby eavesdroppers.
An attacker could take advantage of this bug by forcing a victim to reconfigure the doorbell. The attacker could use a Wi-Fi deauthorization (“deauth”) attack against the device to make it re-enter configuration mode and could use a malicious Wi-Fi device to make the Ring doorbell drop off its network.
The doorbell’s owner would then have to notice that the doorbell is disconnected, which may require the attacker or someone else to ring the doorbell before the targeted owner realizes the doorbell is offline. When the doorbell is put back into configuration mode, the app will offer to reconnect the doorbell to the Wi-Fi network—and then resend the credentials to the doorbell in an HTTP message encoded in XML.
The attacker would then be able to connect to the victim’s home Wi-Fi network if there are no other security measures in place to stop them (such as device white-listing or partitioning of the Wi-Fi network).
All affected devices should now be patched, according to Ring and Bitdefender. But this is another example of why owners of “Internet of Things” devices should consider using Wi-Fi routers capable of segmenting networks or offering “guest” Wi-Fi networks that restrict access by connected devices to the Internet only. And deauth attacks can still be used to knock these devices offline—allowing a burglar or “porch pirate” to cover their tracks by disabling video recording.