Researchers from Dojo/Bullguard investigated the security model of the Ring smart doorbell -- made by Amazon -- and discovered that the video was sent "in the clear" (without encryption) meaning that people on the same network as the doorbell, or on the same network as one of its owners, can easily tap into its feeds.
Additionally, the researchers found that it would be easy to alter the feed coming from the doorbell (for example, you could insert a feed of an empty porch while you were breaking down the door).
The security risks arose because Ring's designers chose not to encrypt their Realtime Protocol (RTP) packets. This means that an attacker who joins a network that is carrying the video feed (for example, the wifi at a conference center or coffee shop that Ring owner is using to monitor the feed from their home) can view or hijack the video streams.
The latest version of the Ring app (version 3.4.7) corrects this error, but the release notes do not mention this fact, so some users may not have upgraded.
This report is part of a growing pattern of serious security problems with Ring's products, which is particularly troubling, given that they are intended as security measures themselves.
The main takeaway from this research is that security is only as strong as its weakest link. Encrypting the upstream RTP traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP transmission does not thwart stream interception. When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.
One Ring to rule them all, and in darkness bind them [Dojo/Bullguard]
(Image: Cryteria, CC-BY)
Many large-scale data-breaches involve attackers gaining access to administrators' database logins; from there, they can clone the whole database and plunder it at will; but leading nosql database vendor Mongodb proposes to add another layer of security it's calling "Field Level Encryption" which encrypts the data in database fields with its own key -- possibly […]
Stalkerware -- spyware sold to people as a means of keeping tabs on their romantic partners, kids, employees, etc -- is a dumpster fire of terrible security (compounded by absentee management), sleazy business practices, and gross marketing targeted at abusive men who want to spy on women.
I recently wrote about how much I enjoyed testing the OnePlus 7 Pro. One of the nicer things about it was the fact that its in-display fingerprint reader, unlike the one in the last-gen OnePlus handset, works in a timely manner. Too bad that, no matter how quickly it can read a fingerprint, it still […]
So you cut the cord and got rid of cable? Join the steadily growing club. But while you’re out picking a streaming service, you might find one big blind spot: Local TV and sports, not to mention first-run programming from the big cable networks. Luckily, there’s a throwback way to get it for free: The […]
Even if you feel like AirPods are worth the price tag, you’ve got to admit there’s a certain anxiety that comes with using them. What if I lose them? What if they get wet in the rain? Or drenched in sweat? Or fall into the drink you dropped them into? Shiny tech is great, but […]
With the quick-fix appeal of video games and their own cell phones, it can be tough to keep kids focused on supposedly “educational” toys. And while it may seem counter-intuitive to fight tech with more tech, we’re all in when it comes to the Toybox 3D Printer. We’re not sure if anyone had envisioned a […]