Bitdefender–the tireless actuary of the Internet of Things–were able to crack into homeowner’s personal WiFi networks via Amazon’s Ring doorbells, the video-enabled auto-locks that allow homeowners to remotely open the door. And as Bitdefender’s Chief Security Researcher Jay Balan told Gizmodo over the phone, once a bad actor has access to a home network “it’s game over.”
Balan told us that the vulnerability was discovered following a request from PCMag to look into the device and that it’s now been patched. The process of taking advantage of the security hole was tedious, he said, as the Ring typically communicates with your device via the company’s cloud services. The only insecure exchange between the app and device is the authentication process, so a hacker would have to kick the device off your network by aggressively sending the network de-authentication messages. The Ring would then appear to go offline. The hacker would have to wait within proximity of your WiFi (like right outside your home) until you notice that the device is offline. And when you reenter your credentials on the Ring, the hacker would be able to scoop them up.
A daring hacker with the patience to do this still wouldn’t be able to use the Ring app, but an imaginative mind could still find a way into your home. “There’s no other vulnerability that we discovered, but there are a million scenarios that you can run,” Balan told Gizmodo. “Let’s say there’s a vulnerable speaker system on the home network; many speaker systems accept people’s music without any authentication. A very possible scenario is that you could send an audio file to the speaker that says Alexa, open the front door.”
“There’s a fundamental problem with the way people treat their home networks,” Balan added. “Everybody believes that their home network is safe. This is why the security is much more lax on your home network. There’s no password on your TV, for example, because people think it’s their private network. Apps are, by design, insecure on private networks.”
Balan said Amazon was very responsive and moved to patch the devices quickly before disclosing them in November. It started the process in September but followed standard practices and waited until the vulnerability was patched to disclose it. “Customer trust is important to us,” a Ring spokesperson said in a statement, “and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched.”
This is the latest installment in the Ring’s ghoulish recent history. Back in February, researchers at Dojo by BullGuard found that hackers could send users images through the Ring app to show a person at the door. Lately, it advertised that it monitored all of the doorbell rings on Halloween. It’s also turned homes into patrol centers, with Amazon going so far as writing some police department’s press releases and tutoring them on how to best entice homeowners to hand over their private security footage.
As with most IoT devices, the Ring doorbells promise tech-infused solutions to a problem that didn’t really exist, and it’s just causing more problems.