What you need to know
- A design flaw could have allowed anyone nearby to steal your Wi-Fi password via your Ring Video Doorbell.
- Ring was made aware of this flaw in June and has just issued a patch on November 7.
- Users won't need to do anything, as this update is automatic.
While you were passing out candy to trick-or-treaters this Halloween, you probably weren't too concerned about little ghouls stealing your Wi-Fi passcode via that handy video doorbell, were you? That exact scenario was apparently possible but, thankfully, Ring was aware of the issue and has patched the nasty little bug. Research firm Bitdefender (opens in new tab) found the issue in June and notified Amazon via the HackerOne bug bounty program, but it took until November for this to be patched. A Ring spokesperson has this to say:
Here's how this vulnerability could have played out. Your neighbor, or anyone within Wi-Fi range of your doorbell, could send fake "deauthentication messages" to the doorbell, thus causing the doorbell to think it was offline. The owner of the doorbell would eventually receive a notification from the Ring app detailing that the doorbell was offline, triggering the usual troubleshooting steps of resetting the doorbell.
Once the doorbell was reset and began the process of pairing with your Wi-Fi network, the hacker near you would be able to easily get your credentials because Ring originally chose to send these credentials via an unsecured HTTP connection. Companies like Google have been bolstering security for years by helping users identify when websites are safe, but devices like video doorbells aren't necessarily going to be as transparent in how they communicate.
IoT (Internet of Things) devices are a particularly worrisome group of devices because they often go unpatched for lengthy amounts of time, owing to poor support or small profit margins that don't encourage companies to provide long-term support. Since devices like video doorbells, smart thermostats, and connected lightbulbs are always on and always connected to your home network, it's incredibly important to choose products from manufacturers who have proven they can help prevent attackers from gaining control of your network or personal information.
This isn't the first time we've seen Ring have some privacy issues, including allegations of spying and warrantless viewing of footage from police. While a lot of this sounds nefarious, Ring has shown good effort in righting its wrongs and patching issues when they appear.
Best Ring Doorbells in 2019
The fact that Ring "was" sending wifi credentials via unsecured HTTP clearly displays a coding mindset that is irresponsible. I imagine more vulnerabilities will be uncovered soon.
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.