Ring Doorbell has patched a flaw that allowed attackers to spy on and inject their own application footage, thereby undermining users' home security.
Researchers at Dojo, Bullguard's Internet of Things (IoT) security team, discovered the vulnerability while performing an independent security assessment of the smart doorbell.
They began their analysis by inspecting the device's network traffic. This step revealed that a ding at the doorbell triggers an API call to an AWS relay server. In response, the server communicates with the device and triggers a notification. A audio/video stream then makes its way to the server, which is bounced to the application.
Taking a closer look at the application's call setup, Dojo found that Ring wasn't using standardized SIP/TLS and SRTP protocols. Instead it was employing its own SIP/RTP crypto that added a security triplet in the “INVITE” SIP message.
The researchers then transitioned to sniffing the application and found that the RTP traffic was transmitting in plaintext. Building on this discovery, they extracted a MPEG file through which they could view the video feed. They found it was possible to also access the audio stream so long as they had access to incoming packets.
In its estimation, Dojo said it could get the appropriate level of access by exploiting another smart home device if the user was home or by tricking them into joining a rogue Wi-Fi network.
The researchers didn't stop there, however. They also found it was possible to inject their own feed. This could set the stage for all kinds of attacks.
Or Cyngiser, a digital security researcher at Dojo, provided one such example in a blog post:
The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed. It would make for a particularly easy burglary. Spying on the doorbell allows for gathering of sensitive information – household habits, names and details about family members including children, all of which make the target an easy prey for future exploitation. Letting the babysitter in while kids are at home could be a potentially life threatening mistake.
Dojo reported the vulnerability to Ring's security teams, who patched the flaw in version 3.4.7. Users of the Doorbell should update to this latest version as soon as possible.
Ring also issued the following statement:
Customer trust is important to us and we take the security of our devices seriously. The issue in the Ring app was previously fixed and we always encourage customers to update their apps and phone operating systems to the latest versions
This flaw highlights the ongoing security challenges involved with IoT devices. Government entities such as the Department of Homeland Security (DHS) and National Institute of Standards and Technology are aware of these challenges, which is why they've published their own security guidance for the Internet of Things. Even so, others feel that the only sensible way forward is for IoT manufacturers and providers to agree to a common set standards emphasizing security best practices.