Cybersecurity research firm Bitdefender exposed the Amazon Ring flaw in a white paper. The company found that when the Ring doorbell is first configured to a Wi-Fi network, the initial connection allows an access point without a password using HTTP.
“Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network. All these exchanges are performed through plain HTTP. This means the credentials are exposed to any nearby eavesdroppers,” the case study reads.
Amazon remedied the security flaw in all Ring devices in September, but the incident was just made public on Thursday.
In a statement sent to PYMNTS on Thursday, a Ring spokesman said the problem has been remedied. “Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched,” the spokesman said.
In terms of how the problem occurred, Bitfender said, “When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecured manner, through an unprotected access point,” Bitdefender told the news outlet. “Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”
This isn’t the first time Amazon had a security issue with Ring. In February, researchers discovered a vulnerability in the Ring doorbell that could allow hackers to send fake images into the video feed, or even eavesdrop on video and audio as it is broadcast.
Dojo by BullGuard discovered that if the right techniques were utilized, a hacker with access to incoming data packets could have listened in on the live feed, as well as sent data into the feed before it reached the app. That method could send fake images to a homeowner so that they would be prompted to unlock the door.
Earlier this year there were reports that Ring employees were able to watch customers’ videos, but the company denied that accusation. And last May, it was revealed that Ring allowed password changes and never signed users out after being logged in one time. In March 2017, some customers discovered that their doorbells were sending data to a server run by the Chinese search engine company Baidu.