Researchers at Bitdefender have found a vulnerability in Amazon’s Ring Video Doorbell which allows an attacker with proximity to the device to intercept the Wi-Fi credentials of the network it operates on, which could lead to further attacks to devices on the network. The Ring Doorbell is an IoT device that allows a person to remotely view and communicate to people on their property. The exploit revolves around the setup procedure and the lack of security in place during that setup. The researchers say that while setting up the device, the doorbell will broadcast an unprotected wireless signal which is meant to facilitate the communication between the app and the device. Besides this, the communication between the app and the doorbell is done insecurely through HTTP. This means that when the app prompts the user to enter their home Wi-Fi credentials, an eavesdropper can see the password in plaintext. This could then lead to exploitation of the network and attacks against the devices on it.
While the doorbell is only vulnerable when performing the initial setup, the researchers say that there is a way to trick the user into going through the setup again. They discovered that sending de-authentication messages to the device will make the user think that the device is not properly working, leading them to reconfigure it. A de-authentication attack is a type of denial of service attack where an attacker continuously sends de-authentication frames to one or more devices, preventing them from connecting to the network. While sending the de-authentication messages, the doorbell will disconnect itself from the Wi-Fi network and make it unable to reconnect. The last resort to resolve the connection issue is to reconfigure the device by going through the setup process again, leading to an eavesdropper gathering the credentials.
Ring has since patched this vulnerability with the release of its newest software update and urges its users to perform an update on their device. However, users that have not yet updated should be aware of this method to force a reconfiguration. If you suddenly find that the device is unable to connect to Wi-Fi you may be the victim of this attack. The exploitation of this vulnerability, while relatively easy, does require the attacker to be within some proximity to the network. This is not the first time that Ring has exposed users’ Wi-Fi passwords to attackers. In 2016, researchers found that by pushing a button on the device to activate access point mode, an attacker could use a mobile device to navigate to a URL that exposed the network settings. While IoT devices can provide great benefits to consumers, they must contain proper security controls.