Ring-a-ding: the IoT doorbell exposed the Wi-Fi passwords of customers with indiscreet ears


Enlarge / The Ring Configuration software despatched unencrypted Wi-Fi configuration info to sure units, exposing the customers' house networks. (credit score: Smith Collection / Gado / Getty Images)

Ring solved a safety drawback in the configuration code of its Internet-connected house safety merchandise. Bitdefender researchers knowledgeable Ring in June of a flaw in Ring Video Doorbell Pro's digicam software program that allowed prying wi-fi customers to enter customers' Wi-Fi credentials when configuring the system, this info being transmitted over an unsecured Wi-Fi community. connection to the system through unencrypted HTTP.

In a bug report launched yesterday as half of a coordinated disclosure with Ring, researchers at Bitdefender defined that when customers arrange a ready-to-use Ring Video Doorbell Pro:

… The smartphone app (for Ring) should ship the wi-fi community identification info. When coming into setup mode, the system creates an entry level and not using a password (the SSID comprises the final three bytes of the MAC handle). Once this community is operational, the software robotically connects to it, queries the system, and sends the identification info to the native community. All these exchanges are accomplished through easy HTTP. This implies that the identification info is exposed to all close by eavesdroppers.

An attacker might take benefit of this bug by forcing a sufferer to reconfigure the doorbell. The attacker might use a Wi-Fi deauthhorization ("deauth") assault towards the system to place it again into setup mode, and on a malicious Wi-Fi system to make the ringing sound ring his community.

Read the different three paragraphs | feedback



Please enter your comment!
Please enter your name here