Researchers from Dojo/Bullguard investigated the security model of the Ring smart doorbell -- made by Amazon -- and discovered that the video was sent "in the clear" (without encryption) meaning that people on the same network as the doorbell, or on the same network as one of its owners, can easily tap into its feeds.
Additionally, the researchers found that it would be easy to alter the feed coming from the doorbell (for example, you could insert a feed of an empty porch while you were breaking down the door).
The security risks arose because Ring's designers chose not to encrypt their Realtime Protocol (RTP) packets. This means that an attacker who joins a network that is carrying the video feed (for example, the wifi at a conference center or coffee shop that Ring owner is using to monitor the feed from their home) can view or hijack the video streams.
The latest version of the Ring app (version 3.4.7) corrects this error, but the release notes do not mention this fact, so some users may not have upgraded.
This report is part of a growing pattern of serious security problems with Ring's products, which is particularly troubling, given that they are intended as security measures themselves.
The main takeaway from this research is that security is only as strong as its weakest link. Encrypting the upstream RTP traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP transmission does not thwart stream interception. When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.
One Ring to rule them all, and in darkness bind them [Dojo/Bullguard]
(Image: Cryteria, CC-BY)
“Researchers conclude that Zoom uses non-industry-standard cryptographic techniques with identifiable weaknesses and is not suitable for sensitive communications.”
The suddenly popular videoconferencing app Zoom has issued a patch for a vulnerability in its Windows client that allowed attackers to steal the user’s Windows login credentials from malicious chat links. Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use […]
Everyone is using Zoom for everything from pandemic family gatherings to A.A. meetings to therapy sessions to teaching college classes, but the app has newly revealed and very concerning security vulnerabilities. The contents of thousands of video calls made on the app Zoom were exposed on the open web, and easily available via common web […]
If you’ve never heard of WooCommerce, it’s essential the way small businesses operate in WordPress, the world’s most popular web content management system. With WooCommerce, web entrepreneurs can set up and run an e-commerce store, selling products, accepting payments and safeguarding privacy for both buyers and sellers. As the engine behind 35 percent of all […]
Can’t sit still during the pandemic? You’re not alone. Many folks are using their social distancing time to decompress and zone out on Tiger King, some even pushing back against the idea of being productive. But plenty of others find themselves bored, restless, and in need of projects and goals, somewhere to direct their energy. […]
Even if you don’t miss much else about the office right now, there’s a good chance your home laptop is making you nostalgic for the added efficiency of that pair of monitors on your desk at work to spread out your workflow. There’s no telling how long the new normal may continue to be the […]