Israeli experts expose security flaw in Amazon’s Ring Doorbell

Company says studies by Amazon and police in US show neighborhoods with product show 50% drop in home burglaries

By
March 3, 2019 14:09
2 minute read.
 Amazon's Ring Video Doorbell 2.

Amazon's Ring Video Doorbell 2.. (photo credit: RING)

 
X

Dear Reader,
As you can imagine, more people are reading The Jerusalem Post than ever before. Nevertheless, traditional business models are no longer sustainable and high-quality publications, like ours, are being forced to look for new ways to keep going. Unlike many other news organizations, we have not put up a paywall. We want to keep our journalism open and accessible and be able to keep providing you with news and analysis from the frontlines of Israel, the Middle East and the Jewish World.

As one of our loyal readers, we ask you to be our partner.

For $5 a month you will receive access to the following:

  • A user experience almost completely free of ads
  • Access to our Premium Section
  • Content from the award-winning Jerusalem Report and our monthly magazine to learn Hebrew - Ivrit
  • A brand new ePaper featuring the daily newspaper as it appears in print in Israel

Help us grow and continue telling Israel’s story to the world.

Thank you,

Ronit Hasin-Hochman, CEO, Jerusalem Post Group
Yaakov Katz, Editor-in-Chief

UPGRADE YOUR JPOST EXPERIENCE FOR 5$ PER MONTH Show me later

A vulnerability in Amazon's popular Ring Video Doorbell that can enable unwanted home surveillance has been discovered by Israeli cybersecurity experts.

Researchers at Herzliya-based Dojo by BullGuard exposed a vulnerability between the doorbell's cloud service and the Ring mobile application that allows hackers to gain access to unencrypted transmission of audio and video recordings.

The Ring Doorbell offers video and audio communication between the device and a user's smartphone, enabling a user to detect motion outside their property, answer the door or check on the home's security anytime from any location.

Amazon, which acquired the video doorbell in April 2018, claims studies carried out by the company and police forces in the US show that neighborhoods equipped with their product have witnessed a 50% reduction in home burglaries.

In an on-stage demonstration at last week's Mobile World Congress in Barcelona, Yossi Atias, Dojo's general manager of IoT (Internet of Things) Security, showed how the company could change the video feed so the end user "believed" they were seeing someone they know and let in previously.

"Ring is a well-respected IoT brand, however the vulnerability we discovered in the Ring video doorbell reveals even highly secure devices are vulnerable to attack," Atias said.

"This particular vulnerability is complex because it is between the cloud and the Ring mobile app, and is acted upon when the Ring Video Doorbell owner is away from home – meaning the package delivery person, house cleaner or babysitter might not actually be the same person at your door. Letting someone you 'think' you know into your home could potentially have dire consequences, particularly if your kids are at home."


Dojo said they managed to gain access to application traffic "without difficulty." If the Ring user was at home, hackers could exploit the vulnerability by cracking weak wi-fi encryption or by exploiting another smart home device. If the user was outside the home, hackers could open rogue wi-fi connections near the owner and wait for them to join.

In addition to altering the video feed, hackers could also spy through the doorbell, enabling the gathering of information such as household habits and details about family members.

"Security is only as strong as its weakest link. When handling sensitive data like a video doorbell, secure transmission is not a feature, but a must – particularly as the average consumer will not be aware of any tampering," said Atias.

The vulnerability, researchers said, was discovered during the company's routine ethical hacking process to examine flaws in various IoT devices and improve its cybersecurity platform for protecting smart homes and connected devices.

Since its discovery, Amazon has released a new version of the Ring mobile application, fixing the vulnerability and preventing a repeat of Dojo's attack.

Join Jerusalem Post Premium Plus now for just $5 and upgrade your experience with an ads-free website and exclusive content. Click here>>

Related Content

Adv. Nimrod Vromen (L) and Adv. Noa Mayer (R) of Yigal Arnon & Co. Law Firm
March 24, 2019
New online platform aims to offer start-ups runway to success

By EYTAN HALON