Israeli experts expose security flaw in Amazon’s Ring Doorbell

Company says studies by Amazon and police in US show neighborhoods with product show 50% drop in home burglaries

 Amazon's Ring Video Doorbell 2. (photo credit: RING)
Amazon's Ring Video Doorbell 2.
(photo credit: RING)
A vulnerability in Amazon's popular Ring Video Doorbell that can enable unwanted home surveillance has been discovered by Israeli cybersecurity experts.
Researchers at Herzliya-based Dojo by BullGuard exposed a vulnerability between the doorbell's cloud service and the Ring mobile application that allows hackers to gain access to unencrypted transmission of audio and video recordings.
The Ring Doorbell offers video and audio communication between the device and a user's smartphone, enabling a user to detect motion outside their property, answer the door or check on the home's security anytime from any location.
Amazon, which acquired the video doorbell in April 2018, claims studies carried out by the company and police forces in the US show that neighborhoods equipped with their product have witnessed a 50% reduction in home burglaries.
In an on-stage demonstration at last week's Mobile World Congress in Barcelona, Yossi Atias, Dojo's general manager of IoT (Internet of Things) Security, showed how the company could change the video feed so the end user "believed" they were seeing someone they know and let in previously.
"Ring is a well-respected IoT brand, however the vulnerability we discovered in the Ring video doorbell reveals even highly secure devices are vulnerable to attack," Atias said.
"This particular vulnerability is complex because it is between the cloud and the Ring mobile app, and is acted upon when the Ring Video Doorbell owner is away from home – meaning the package delivery person, house cleaner or babysitter might not actually be the same person at your door. Letting someone you 'think' you know into your home could potentially have dire consequences, particularly if your kids are at home."
Dojo said they managed to gain access to application traffic "without difficulty." If the Ring user was at home, hackers could exploit the vulnerability by cracking weak wi-fi encryption or by exploiting another smart home device. If the user was outside the home, hackers could open rogue wi-fi connections near the owner and wait for them to join.
In addition to altering the video feed, hackers could also spy through the doorbell, enabling the gathering of information such as household habits and details about family members.
"Security is only as strong as its weakest link. When handling sensitive data like a video doorbell, secure transmission is not a feature, but a must – particularly as the average consumer will not be aware of any tampering," said Atias.
The vulnerability, researchers said, was discovered during the company's routine ethical hacking process to examine flaws in various IoT devices and improve its cybersecurity platform for protecting smart homes and connected devices.
Since its discovery, Amazon has released a new version of the Ring mobile application, fixing the vulnerability and preventing a repeat of Dojo's attack.