An Amazon Ring vulnerability may have given hackers access to some users’ Wi-Fi passwords, according to a report by cybersecurity researchers.
Researchers at Bitdefender discovered an issue back in June, which allowed anyone close enough to a Ring device to intercept the Amazon-branded doorbell and snatch private Wi-Fi network credentials.
Read our review of the Ring Video Doorbell 2
Hackers could then use this information to gain access to the network and launch larger attacks, conduct surveillance or use the password to access other devices with the same login details.
The vulnerability affects the configuration and reconfiguration process used to set up or repair Ring devices, as this is when they require a wireless connection to join the local network.
“When first configuring the device, the smartphone app must send the wireless network credentials,” explained Bitdefender in its report. “This takes place in an unsecure manner, through an unprotected access point.”
Once the network is up, the app connects to it automatically, queries the device and sends the credentials to the local network all in plain HTTP text. The unencrypted connection could allow any nearby eavesdroppers to access the user’s home network credentials.
Hackers aware of the vulnerability can even use this knowledge to orchestrate an attack by prompting the user to reconfigure their device.
“The attacker must trick the user into believing that the device is malfunctioning so the user reconfigures it,” warned Bitdefender. “One way to do this is to continuously send deauthentication messages, so that the device is dropped from the wireless network.”
Read our review of the Ring Video Doorbell Pro
The user will be unable to receive notifications or reach the remote servers to view their live view feed, eventually being forced to reconfigure the device by leaving and joining the network again, allowing the attacker to intercept and grab their home network credentials.
Thankfully Amazon resolved the issue in September, though the issue was only disclosed to Ring users this week.