Researchers discovered a vulnerability in Amazon’s Ring Video Doorbell Pro that, if exploited, could allow a threat actor to get network or Wi-Fi credentials. Amazon has already fixed this issue back in September but the vulnerability was only disclosed recently.
Ring Video Doorbell Pro is a home security device that gives homeowners the ability to screen visitors and monitor their home remotely. However, attackers that exploit the device’s flaw to gain Wi-Fi credentials can open the home to other forms of compromise.
The discovery was made by researchers from Bitdefender, who found a security flaw in the way the device connects to the local network upon first configuration. They saw that the smartphone app sends the wireless network’s credentials to the device during the initial configuration process. It does so by creating an access point that is not password-protected and sending the needed network credentials in HTTP, which is a protocol more likely to be exposed to potential attackers compared to the more secure HTTPS protocol.
A scenario using this vulnerability could start with attackers identifying a home that uses this particular device. The attackers would then make the user believe that the doorbell is malfunctioning to trick the homeowner into reconfiguring the device, at which point they can intercept the sent credentials.
The researchers pointed out that a way to do this would be to continuously send deauthentication messages so that the device would be dropped from the wireless network. This process would take some time, but eventually the app would show that the device was offline. The homeowner could try to reconnect it to the network using the app, but this will ultimately fail and force them to reconfigure.
Security risks of smart devices
Through this vulnerability and by gaining access to a network, attackers can compromise other devices, among other potential consequences. It demonstrates how vulnerabilities expose devices to risks that consequently lead to escalating attack scenarios.
Each smart device presents both specific functions and potential security risks that have yet to be similarly discovered. Another case in point was made in a 2017 research where Trend Micro researchers had uncovered how Sonos speakers that still use default passwords can be exposed to the internet.
As more devices are added to a single environment it becomes much harder to control chained functions and device configurations, creating openings for different forms of attack. A separate research done by Trend Micro showed how the complexity of internet of things (IoT) environments introduces unforeseen security consequences. Potential hackers can maximize a breach to have a bigger effect or to gain more leverage from their attack.
Users and IoT stakeholders should share the responsibility of securing smart devices and the environment in which they are deployed. Manufacturers should implement security-by-design when creating their products and be swift in addressing discovered vulnerabilities, while users are responsible for using their devices securely and applying the needed patches as soon as they become available.
The Trend Micro Smart Home Network solution provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service (iQoS), parental controls, network security, and more.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).