Ring Doorbells used? HTTP to pass credentials unencrypted

[WillyW]

Amazon supposedly fixed this security vulnerability as reported here:

 

https://threatpost.com/amazon-fixes-ring-video-doorbell-flaw-that-leaked-wi-fi-credentials/150029/

 

Quote

The key issue with Ring exists in how users first configure the device, which requires the device’s smartphone app to use a wireless connection to send the wireless network credentials to the smart doorbell, researchers said.

“This takes place in an unsecure manner, through an unprotected access point,” researchers wrote. “When entering configuration mode, the device creates an access point without a password (the SSID contains the last three bytes from the MAC address).”

 

I have had an IoT device and based on how bad the security was on that, I've sworn off all IoT until companies can figure out that patching, security and not being first to market are important.

 

If you ever change your network, or lets say the average user:

- gets a new internet service provider

- gets the default wifi router with their service

- has to change the password as most do

- doesn't pick secure passwords, and doesn't care

 

They would be open to all sorts of attacks.

 

Quote

While no Amazon Ring users at this point appeared to have been affected by the flaw, there was some considerable lag time between Bitdefender’s first disclosure of the problem to the company on June 20 and Amazon’s patch and coordinated disclosure of the flaw on Nov. 7.

Bitdefender found the flaw.

 

Here's another article that is more brief:

 

https://techcrunch.com/2019/11/07/amazon-ring-doorbells-wifi-hackers/

 

Quote

Amazon has faced intense scrutiny in recent months for Ring’s work with law enforcement.

 

The link above from the quote showed how Ring wanted to allow law enforcement agencies to hack your doorbell so they could see crimes, but what would stop the law enforcement from rifling around in your network if they wanted too.

 

That's in addition to this:

https://www.theatlantic.com/ideas/archive/2019/05/amazon-owned-ring-wants-report-crime-news/588394/

 

Where Ring wanted to hire a reporter to report on crime so they could raise fear and make people buy more ring devices.

 

I think that's three strikes.

[Shadow Bullet]

I can't wait to rump my Ring doorbell, I am just waiting on the Ubiquiti G4 Doorbell to go to the Early Access store so I can pick it up and have it integrated within Protect. Hopefully any day now...

[WillyW]

Everyone who I know (except people here) who has a Ring is completely clueless when it comes to IT & Security.

[Velcade]

7 minutes ago, Shadow Bullet said:

Ubiquiti G4 Doorbell

Not sure if serious...

 

Do you have any info on this?

[RejZoR]

35 minutes ago, WillyW said:

Everyone who I know (except people here) who has a Ring is completely clueless when it comes to IT & Security.

Because no one who actually cares about security or privacy would own one.

[Lurick]

1 hour ago, RejZoR said:

Because no one who actually cares about security or privacy would own one.

Or, those of us who do care and have it are smart enough to wall them off from the rest of the network

[rcmaehl]

4 hours ago, WillyW said:

Everyone who I know (except people here) who has a Ring is completely clueless when it comes to IT & Security.

Why use a over priced product when a raspberry pi zero w with a camera module works just fine?

[vanished]

Ah, another week, another IoT security faux pas

[Salv8 (sam)]

another day, another IOT security flaw.

i'm running out of memes to put in here...

but here's one anyways:

i can't believe that Cosby is out of jail, i'm gonna pull a T.I to ensure my daughter is safe...

[Shadow Bullet]

7 hours ago, Velcade said:

Not sure if serious...

 

Do you have any info on this?

Yes, I am serious, it is coming at some point as we have seen it in Protect marketing images and the Ubiquiti Devs have very very slightly hinted at it before, but not much has been heard about it. It is however supposed to have a tiny LCD screen to display text however.