Your internet-enabled doorbell couId help crooks steal your Wi-Fi password

Researchers have uncovered a vulnerability in a 'smart' doorbell that could have allowed attackers to easily steal the passwords to customers' Wi-Fi networks.

Ring iot doorbell

As David Lodge of Pen Test Partners openly admits in a blog post, Ring is a pretty nifty device. The Wi-Fi doorbell acts as a CCTV camera with built-in motion sensors that detect any activity on the property.

Whenever any motion is detected, Ring sends a mobile notification to a user's phone, according to the product's website.

A customer can also pair Ring to their mobile device in order to communicate with anyone who approaches the doorbell, or they can connect it to a smart lock so that they can remotely unlock the door to their house.

Lodge and his fellow researchers were less than impressed, however, when they reviewed the device's security.

When the team pushed the orange setup button on the back of Ring, they discovered that the doorbell's wireless module (a Gainspan wireless unit) went into AP (Access Point) mode.

After connecting to a MAC address in the access point, the researchers learned that they could communicate with the Gainspan's HTTP server.

This included them asking nicely for the "/gainspan/system/config/network" URL, which returned the configured Wi-Fi SSID and cryptographic pre-shared key (PSK) in cleartext.

"The doorbell is only secured to its back plate by two standard screws. This means that it is possible for an attacker to gain access to the homeowner’s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL. As it is just a simple URL this can be performed quite easily from a mobile device such as a phone and could be performed without any visible form of tampering to the unit."

Psk revealed

It is unclear whether Ring ever intended to expose this functionality, which caused the Pen Test Partners team to wonder whether they could exploit the vulnerability to upload modified firmware and open a backdoor into a home's network or launch exploits against other Internet of Things (IoT) devices, such as the flawed EZCast TV streamer.

To its credit, however, Ring responded to the company's vulnerability report within minutes. It has since patched the flaw just two weeks after Pen Test Partners first privately disclosed the bug.

In a statement shared by The Register, Ring said the issue was fixed months ago but had apparently not been removed on the unit tested by Lodge and his fellow researchers.

"This security vulnerability was remedied with Ring's firmware update 1.5 on August 11, 2015. Ring is now on firmware version 1.6. Every time Ring is activated, whether with motion or a doorbell ring, it automatically searches for available firmware updates."

Ios screenshot

Customers who are unsure about their version of Ring should go to the "Settings" page of the device's app and verify the firmware's version for themselves. For more information, customers can also send an email to security@ring.com and chat with a representative about what Ring is doing to protect their security. Could make for an interesting call.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

4 Responses

  1. Cur M. Udgeon

    January 15, 2016 at 6:33 pm #

    I suppose it should come as no surprise that the Internet of Stupid Things has come this far. Just goes to show that putting the "smart" descriptor on something doesn't make it any less stupid.

  2. Vito

    January 15, 2016 at 6:37 pm #

    The obvious solution is to put this "smart" doorbell in a secure location…like inside the house.

    Oh, wait…

  3. coyote

    January 15, 2016 at 7:03 pm #

    It might be 'nifty' but it's still a silly (which really is a bit too nice of a word) want and not a need (no, it's not needed no matter how many times the company or society says it is; if you can't understand this then I hope you never are in poverty or become homeless because you'll be in for a huge shock at just how much you had was a luxury and not a necessity).

    Just like all IoT devices. Some are worse than silly, of course, and more like completely stupid but in the end the IoT is broken by design even without the fact the Internet wasn't designed with security in mind (hence why we have updates to protocols, migration to newer protocol, etc.). This is another example of a (a ?) brain-dead 'smart device'.

  4. randy

    January 19, 2016 at 8:44 pm #

    I just DON'T think many people will be running to your wireless doorbell for information,
    sounds a little paranoid.

Leave a Reply