Researchers have uncovered a vulnerability in a ‘smart’ doorbell that could have allowed attackers to easily steal the passwords to customers’ Wi-Fi networks.
As David Lodge of Pen Test Partners openly admits in a blog post, Ring is a pretty nifty device. The Wi-Fi doorbell acts as a CCTV camera with built-in motion sensors that detect any activity on the property.
Whenever any motion is detected, Ring sends a mobile notification to a user’s phone, according to the product’s website.
A customer can also pair Ring to their mobile device in order to communicate with anyone who approaches the doorbell, or they can connect it to a smart lock so that they can remotely unlock the door to their house.
Lodge and his fellow researchers were less than impressed, however, when they reviewed the device’s security.
When the team pushed the orange setup button on the back of Ring, they discovered that the doorbell’s wireless module (a Gainspan wireless unit) went into AP (Access Point) mode.
After connecting to a MAC address in the access point, the researchers learned that they could communicate with the Gainspan’s HTTP server.
This included them asking nicely for the “/gainspan/system/config/network” URL, which returned the configured Wi-Fi SSID and cryptographic pre-shared key (PSK) in cleartext.
“The doorbell is only secured to its back plate by two standard screws. This means that it is possible for an attacker to gain access to the homeowner’s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL. As it is just a simple URL this can be performed quite easily from a mobile device such as a phone and could be performed without any visible form of tampering to the unit.”
It is unclear whether Ring ever intended to expose this functionality, which caused the Pen Test Partners team to wonder whether they could exploit the vulnerability to upload modified firmware and open a backdoor into a home’s network or launch exploits against other Internet of Things (IoT) devices, such as the flawed EZCast TV streamer.
To its credit, however, Ring responded to the company’s vulnerability report within minutes. It has since patched the flaw just two weeks after Pen Test Partners first privately disclosed the bug.
In a statement shared by The Register, Ring said the issue was fixed months ago but had apparently not been removed on the unit tested by Lodge and his fellow researchers.
“This security vulnerability was remedied with Ring’s firmware update 1.5 on August 11, 2015. Ring is now on firmware version 1.6. Every time Ring is activated, whether with motion or a doorbell ring, it automatically searches for available firmware updates.”
Customers who are unsure about their version of Ring should go to the “Settings” page of the device’s app and verify the firmware’s version for themselves. For more information, customers can also send an email to firstname.lastname@example.org and chat with a representative about what Ring is doing to protect their security. Could make for an interesting call.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.