Researchers from Dojo/Bullguard investigated the security model of the Ring smart doorbell -- made by Amazon -- and discovered that the video was sent "in the clear" (without encryption) meaning that people on the same network as the doorbell, or on the same network as one of its owners, can easily tap into its feeds.
Additionally, the researchers found that it would be easy to alter the feed coming from the doorbell (for example, you could insert a feed of an empty porch while you were breaking down the door).
The security risks arose because Ring's designers chose not to encrypt their Realtime Protocol (RTP) packets. This means that an attacker who joins a network that is carrying the video feed (for example, the wifi at a conference center or coffee shop that Ring owner is using to monitor the feed from their home) can view or hijack the video streams.
The latest version of the Ring app (version 3.4.7) corrects this error, but the release notes do not mention this fact, so some users may not have upgraded.
This report is part of a growing pattern of serious security problems with Ring's products, which is particularly troubling, given that they are intended as security measures themselves.
The main takeaway from this research is that security is only as strong as its weakest link. Encrypting the upstream RTP traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP transmission does not thwart stream interception. When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.
One Ring to rule them all, and in darkness bind them [Dojo/Bullguard]
(Image: Cryteria, CC-BY)
Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities.
Few states have voting machines that are simultaneously more obviously defective and more ardently defended by the state government than Georgia, where 16-year-old touchscreen systems are prone to reporting ballots cast by 243% of the eligible voters and where gross irregularities in election administration sends voters to the wrong polling places or sends co-habitating husbands […]
Apple's Faceid -- a facial recognition tool that unlocks mobile devices -- has a countermeasure that is designed to prevent attackers from scanning an sleeping/unconscious (or dead) person's face to unlock their phone, by scanning the face for signs of consciousness.
If your office works at all, it uses Microsoft Office. Those icons for Word, PowerPoint, and Outlook are as familiar around some workplaces as the coffee machine. So familiar, in fact, that they get taken for granted – and rarely used to their full potential. Whether you need a crash course in the essential tools […]
It’s a great time to be a maker. 3D printers are on store shelves for anyone to buy, and coder kits like Arduino and Raspberry Pi are letting kids as young as 9 or 10 dive into the Internet of Things. Here are a few examples of our favorite tech toys, all priced low enough […]
Want to make a hit? The right software is out there for anyone, but any music producer will tell you that finding the right sound can still take time and talent. Still, the right tools are a great shortcut, which makes this Synth & Sound Pack Bundle absolutely priceless. And now that it’s on sale […]