Serious Amazon Ring Vulnerability Leaves Audio, Video Feeds Open To Attack (betanews.com)

← Back to Stories (view on slashdot.org)

Serious Amazon Ring Vulnerability Leaves Audio, Video Feeds Open To Attack (betanews.com)

Posted by BeauHD on Wednesday February 27, 2019 @10:50AM from the ready-for-the-taking dept.

Mark Wilson shares a report from BetaNews: Security researchers from Dojo by Bullguard have discovered a vulnerability in Amazon's Ring doorbell that leaves it prone to man-in-the-middle attacks. As well as enabling a hacker to access audio and video feeds in a severe violation of both privacy and security, the vulnerability also means that an attacker could replace a feed with footage of their own. Revealing the security flaw at Mobile World Congress, Yossi Atias from Dojo, demonstrated how a feed could be hijacked and injected with counterfeit video. The vulnerability poses a number of risks. The ability to spy on audio and video feeds has obvious privacy implications, but it could also enable a hacker to monitor comings and goings to determine when a house will be empty. Using easily-available tools, it is possible to intercept Ring's RTP stream and extract a viewable MPEG video.

43 comments

Min score:

Reason:

Sort:

You use the cloud by Anonymous Coward · 2019-02-27 10:58 · Score: 0

You forfeight your right and expectation to privacy.
This isn't a privacy issue, it is a security slip (or rather intentional gap only)
1. Re:You use the cloud by Anonymous Coward · 2019-02-27 11:21 · Score: 0
  
  Change creimette video feed for an Amazon guy delivering cliff bars and have him run downstairs!
2. Re:You use the cloud by Anonymous Coward · 2019-02-27 11:24 · Score: 0
  
  Creimer is too busy making YouTube videos and sticking it to The Verge for abusing YouTube's copyright system.
3. Re:You use the cloud by Anonymous Coward · 2019-02-27 12:01 · Score: 0
  
  And when is creimer going to stick it to Amazon? Put your money where your mouth is Chris!
You mean.. by Anonymous Coward · 2019-02-27 11:00 · Score: 0

a different leak, not the previous one where an unsecured AWS bucket was shared from a Ukrainian software subcontractor that had access to every single RING video on the entire worldwide network, a new leak instead?
Do tell.
1. Re:You mean.. by Anonymous Coward · 2019-02-27 11:25 · Score: 0
  
  Both creimette himself and his Amazon schemes are perpetually leaking.
2. Re:You mean.. by LifesABeach · 2019-02-27 13:20 · Score: 1
  
  Depends?
Yawn ... connected crap is crap ... by Anonymous Coward · 2019-02-27 11:06 · Score: 0

I have reached the point of laughing at this shit.
It's a connected consumer device, therefore it is 100% guaranteed to be riddled with security holes, potential bypasses, exploits, and privacy risks.
Pretty much without fail, this connected shit, this smart home shit ... whatever the fuck we call it ... this stuff is proven to either lack basic security, or have a weak ass attempt at security, or is in of itself malicious.
So, boo mother fucking hoo ... you bought a fucking device which leaves a fucking tech company in charge or security on your house.
That shit is on you for being such a fucking moron in the first place.
If you made companies who make connected products 100% legally liable for both security and privacy, I would still assume in 10 years the quality of this stuff would still be garbage.
I am not surprised to hear this, and I'm tired of having to say it ... but buying this fucking shit because it's shiny and cool and you can run your life from a fucking app ... that doesn't entitle you to any fucking sympathy for running stuff you don't understand written by people who are more interested in serving you ads than selling you a secure product.
Fuck Amazon and any other making a fucking internet connected doorbell. If you're stupid enough to buy this shit, you deserve what you get.
The overwhelming majority of connected gadgets are literally pointless, written by idiots, and so insecure as to be laughable. Obsessively buying this crap and getting burned by it ... that's all on you.
1. Re:Yawn ... connected crap is crap ... by Anonymous Coward · 2019-02-27 11:35 · Score: 0
  
  Whoo boy you can see how often my neighbors walk their dog and who's stealing the packages off my front porch.
  Oh, but only if you've broken in to my wifi network /and/ I happen to be using live view on my smartphone at that given moment.
  Well, that kind of sucks. I was hoping you could identify drug the package stealers.. Oh wait, I can just use the app built in to the service and post the videos on social media.
  For fucks sake. If you don't want something being recorded and spread around, don't point a fucking video camera at it.
  I got a video doorbell so i could make my front door LESS FUCKING PRIVATE IN THE FIRST PLACE
2. Re:Yawn ... connected crap is crap ... by b0s0z0ku · 2019-02-27 12:00 · Score: 1
  
  Get a cloudfree camera and internal DVR. Same functionality without you paying to contribute to the massive surveillance networks Scumazon and Scroogle are building.
3. Re:Yawn ... connected crap is crap ... by JaredOfEuropa · 2019-02-27 12:38 · Score: 1
  
  I got a Doorbird instead. Is it more secure than the Ring? Doubtful. But it can run off the cloud if you want it to, with a little effort. The camera stream is available as RTSP, and the video intercom function supports SIP. My Doorbird is firewalled and talks to a home DVR system and Asterisk server. Same functionality, off the cloud, and will keep working if the company goes the way of the dodo.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
4. Re:Yawn ... connected crap is crap ... by Narcocide · 2019-02-27 13:14 · Score: 2
  
  So, you're right. Let me just get that right out in the open first, because you're right even though you probably won't get any up-mods for it.
  But as I'm reading this it strikes me as problematic in the way you've presented your argument. I keep hearing the words of others echoing in my head, telling me that I was too biased to be heeded when I tried to protect them in this manner.
  So you (both of us, really) have to figure out a way to make this argument sound like it is coming from someone rational and unbiased, but still knowledgeable. I've tried leaving out the emotionally-charged rhetoric and just piling on raw facts, but then this same archetypal person will just assume I'm trying to bamboozle them with complicated words, instead.
  So, seriously here. How do we get this same point across when we're not preaching to the choir?
5. Re:Yawn ... connected crap is crap ... by Anonymous Coward · 2019-02-28 03:24 · Score: 0
  
  So, seriously here. How do we get this same point across when we're not preaching to the choir?
  OP here ... honestly, I've given up on trying, because everyone is so hell bent on using these things you can't stop it. People are obsessed with having connected things with apps they can control from their phone.
  But, I did find one wedge I could make work ... Barbie.
  A couple of years ago, I knew a couple who had a bunch of grandchildren.
  They had bought a network connected doorlock, and when they told me this I kinda rolled my eyes and said "well, I'll refrain from commenting, glad you're happy with it" .. they pushed a little, and I basically said "I don't trust these products, but I accept that you like them and I'll hold my tongue". They sort of wrote me off as being a little too paranoid.
  A few months later they were all in a tizzy because they'd heard about Hello Barbie potentially invading the privacy of children, and they were outraged.
  The conversation went something like "well, this is a company concerned with selling you a product, and using your information, they're not really concerned with your privacy or security" ... they expressed sufficient outrage and indignation their grandbabies could be spied on by tech ... I said "so, remember your network connected door lock? It likely has a lot of the same issues because it's all the same basic technology and because companies are lazy and greedy".
  This was met by absolutely stunned silence, but I honestly don't know if they still have the lock because I refuse to ask or care.
  So, you can point out Barbie, you can point out baby monitors which have been hacked, you can point out security cameras which are sending their feeds to the open internet ... you can point them to news articles, you can calmly explain that without good security, if you can access it from the internet someone else probably can ... you can talk about TVs which upload your viewing history even when you opt out, and you can talk about vulnerabilities in UPNP which they probably used to set their toys up, and you can even try to explain weak default passwords and back doors.
  And, at the end of the day, they will decide their shiny bauble is just too appealing, that it will never happen to them, and that after all, you're pretty well known to be a little crazy on this topic and can't be trusted -- and that the existential validation from having a fucking app outweighs any risks.
  Then you do the only thing you can, say fuck 'em all, and laugh your ass off every time you see one of these stories -- I no longer spend my energy on trying to convince people about this stuff, because nobody wants to hear it.
  God help the poor fucker who ever says to me "wow, I think my 'puter has been hacked, can you have a look?"
Good news! by Anonymous Coward · 2019-02-27 11:09 · Score: 0

Using easily-available tools, it is possible to intercept Ring's RTP stream and extract a viewable MPEG video.
So that means I can intercept the video on my LAN and storage the video locally? Cloud-dependent video is just stupid, I want local (with cloud storage as just an option).
1. Re:Good news! by b0s0z0ku · 2019-02-27 12:02 · Score: 3, Interesting
  
  Frankly, I don't want cloud storage as an option, unless it's encrypted with my own keypair. I don't want to buy a camera, then pay monthly for the privilege of contributing to Amazon's outsourced surveillance network.
2. Re:Good news! by Anonymous Coward · 2019-02-27 14:09 · Score: 0
  
  so dont? does anyone force you to spend your cash on it?
3. Re:Good news! by Anonymous Coward · 2019-02-27 19:40 · Score: 1
  
  Get even. Play a high quality porno loop , pretending its from your camera. Might even make you a few new friends, and give the watchers something to do.
Waiting for the exploit by Anonymous Coward · 2019-02-27 11:11 · Score: 0

That streams porn to people's doorbells in 3...2...1...
1. Re:Waiting for the exploit by Anonymous Coward · 2019-02-27 11:25 · Score: 0
  
  *Pornbells
  captcha: (it really is) pinhole
2. Re:Waiting for the exploit by adrn01 · 2019-02-27 11:29 · Score: 1
  
  Flashing for the lazy,no need to even leave the house now: "Ding-dong!" --> "Long-dong!!!"
what did you expect? by Anonymous Coward · 2019-02-27 11:42 · Score: 0

it's a gadget with video cameras and microphones connected to the internet..... it getting hacked, and hacked continuously, is inevitable.
Overpriced junk by Anonymous Coward · 2019-02-27 11:53 · Score: 0

Seriously how did we ever get along without these devices? Oh I know, we just did and were better for it.
Jokes on them! by Anonymous Coward · 2019-02-27 12:59 · Score: 0

Jokes on them! My ring, like a good number of peoples, has never worked! Good luck spying on my âoebrickâ.
1. Re: Jokes on them! by edris90 · 2019-02-27 13:09 · Score: 1
  
  That's fair enough those who don't accept security is just posturing, role-based countless dollars and time on a fruitless task, when they could have adjusted their life to function from a philosophy of everyone's going to know anyway. There are two ways to solve the problem. Eliminate it. And this case that one is a lost cause. The second way to solve a problem is to adjust your underlying system of operation to count on these sort of things happening and plan on not being able to predict when so that you are motivated to prepare and when it happens are not traumatized by it. Similar to how we learn not to cry and freak out just cuz it's raining on a day we want to play outside we learned to accept that sometimes it's going to rain. And we plan and prepare for it so that we don't have to care when it does.
Realy Everyone? OK, Let Me Be the First to Post It by LifesABeach · 2019-02-27 13:30 · Score: 1

Bezos: We wants it, we needs it. Must have the precious.
These things really should be using a VPN by Solandri · 2019-02-27 13:36 · Score: 2

The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.

Unfortunately, the VPN server part of that is rather challenging to set up. People are lazy / technically challenged. These device manufacturers have to cater to the lowest common denominator, which means they need a way for these devices to work even for the laziest and most clueless buyer. So they make these devices connect to their server over the Internet. (Not that they mind, since it allows them to collect usage data.) Your phone, tablet, or laptop then connects to their servers, when then hands off the connection to your home device. But because you're now trusting a third party, that exposes you to all sorts of attacks by the Internet at large.
1. Re:These things really should be using a VPN by SeaFox · 2019-02-27 15:08 · Score: 2
  
  The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.
  
  Isn't part of the issue with these device that they are not self-contained products? Their capabilities are tied into remote servers (and services) that the customer does not control. People go to a central website and use apps that route through a corporate mothership mainly to get around the end user being on DHCP internet service and behind consumer networking equipment. Part of that is by design, can't charge a monthly fee for them if they are capable of working without internet access.
  I know DDNS is pretty easy and many home routers even offer built-in VPN servers, but that's still a bunch of outside config that is beyond the technical abilities of most of the people these companies want to target.
2. Re:These things really should be using a VPN by Anonymous Coward · 2019-02-27 19:33 · Score: 0
  
  All these IOT things - it should me mandatory they have say an up to five star rating on the side of the box, so those with shitty deficient security are left behind.
  But like sugary junk snacks, evil manufacturers want ignorant purchasers being unselective, or buying the packaging.
3. Re:These things really should be using a VPN by Tom · 2019-02-27 23:11 · Score: 1
  
  In general I agree.
  But a security device should have Internet access, because that is a secure storage for its data. If it would stream to a desktop machine inside the house, then in case of a burglary chances are good that this computer is gone.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
4. Re:These things really should be using a VPN by AmiMoJo · 2019-02-28 04:18 · Score: 1
  
  Standard HTTPS with a pinned certificate would have been fine for this application, but they didn't even manage to do that. Quite incredible levels of incompetence for such a big company with massive cloud infrastructure.
  I don't really understand Ring though. If I'm in I'll answer it, if I'm not there isn't much I can do anyway and anyone important will leave a card. So why do I need it?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
5. Re:These things really should be using a VPN by Anonymous Coward · 2019-02-28 04:35 · Score: 0
  
  Finally, someone who gets it. I couldn't agree with you more.
  All these internet-enabled devices are non-starters for me the instant they cannot work strictly within the confines of your own LAN and they're non-functional if they can't talk to the outside world.
  Ever since I was a kid I had high hopes for home automation. Seeing how *badly* all of these devices are designed however (and they don't *have* to be that way) leaves me thinking there's actual *nothing* out there right now that I want, exactly because of that.
6. Re:These things really should be using a VPN by tlhIngan · 2019-02-28 06:53 · Score: 1
  
  Isn't part of the issue with these device that they are not self-contained products? Their capabilities are tied into remote servers (and services) that the customer does not control. People go to a central website and use apps that route through a corporate mothership mainly to get around the end user being on DHCP internet service and behind consumer networking equipment. Part of that is by design, can't charge a monthly fee for them if they are capable of working without internet access.
  I know DDNS is pretty easy and many home routers even offer built-in VPN servers, but that's still a bunch of outside config that is beyond the technical abilities of most of the people these companies want to target.
  You can get standalone DVRs that don't require the cloud at all. But then you know what? People misconfigure them and they get exposed all over the internet. Either with default credentials so everyone can spy on what the cameras see, or as typical with these devices, they get exploited and become a part of a massive botnet that DDoS's infrastructure.
  Standalone machines also typically don't have as robust auto-update features for software updates so users will typically forget to update.
  It's really a pick your poison sort of deal.
7. Re:These things really should be using a VPN by SeaFox · 2019-02-28 10:14 · Score: 1
  
  You can get standalone DVRs that don't require the cloud at all. But then you know what? People misconfigure them and they get exposed all over the internet. Either with default credentials so everyone can spy on what the cameras see, or as typical with these devices, they get exploited and become a part of a massive botnet that DDoS's infrastructure.
  I think a lot of the blame there goes to the writers of the firmware for those devices. The security issues and backdoors are many times baked in as part of testing and not removed before production, or left in to allow support people an easy backdoor to avoid the "well, you locked yourself out, you'll have to hard reset that and lose all your data" convo.
  With those stand-alone devices, more of the legwork with setup is expected on the customer side, too. So we're back to "limited support, or limit autonomy", as you said.
pointless research by Anonymous Coward · 2019-02-27 14:06 · Score: 0

Another pointless research, triggered only by amazon buying Ring.
Determining when house is empty can be easily done just monitoring the house or using any number of other monitoring tools... which are way easier to accomplish. Spying on ones feeds is same...
in fact it should be way more open and flexible, I fear because of this idiotic furor we will see less focus on quality and functionality and waste of resources on pointless security features.
In addition, if you really need that much privacy and security , why dont you invest on serious security solution. Ring aint security but a monitoring solution primarily.
Use wired LAN! by Anonymous Coward · 2019-02-27 14:15 · Score: 0

Why is every single smart-home anything exclusively using WiFi? Give me hard-wired LAN for everything, or I won't touch it.
I've been on the market for a smart doorbell - primarily just for the camera tbh, not really for anything else - and there doesn't seem to be a single one that is exclusively wired LAN.
I'll opt for putting in a security camera instead, but that's a lot less subtle and a lot more likely to freak the neighbours. A proper dumb-doorbell with a dumb-LAN-wired camera (none of the cloud storage shite) is all I want.
1. Re: Use wired LAN! by Anonymous Coward · 2019-02-27 14:33 · Score: 0
  
  Ring Doorbell Elite
It's been patched for awhile by Anonymous Coward · 2019-02-27 16:19 · Score: 0

It's been patched as of 3.4.7 current ring app version is 3.10.x. the linked article even mentions it has been fixed.
Wow, thanks for this one. by Anonymous Coward · 2019-02-27 21:05 · Score: 0

I didn't know about Amazon Ring. Sometimes reality surpasses one's weirdest imagination. I am... flabbergasted.
Internet Of Idiots.
Important note: It's patched. by zarmanto · 2019-02-28 03:14 · Score: 1

From the very end of the linked article:

"Important note: Ring has patched this vulnerability in version 3.4.7 of the ring app (Without notifying users in the patch notes!). Please make sure to upgrade to a newer version ASAP as the affected versions are still backward compatible and vulnerable."
(I think I'm beginning to understand that whole "read the last page first" philosophy.)
1. Re:Important note: It's patched. by Anonymous Coward · 2019-02-28 05:56 · Score: 0
  
  Is the vulnerability in the app or the doorbell device?
Someone messed with my feed once by Anonymous Coward · 2019-02-28 04:40 · Score: 0

It was a floodlight cam for my driveway. I noticed that when I would do Live view that it was showing old footage. I walked out into the driveway and I wasn't showing in the footage. Plus it was showing daytime footage in the stream when it was night time.
As such, shutting off the power to the device for a few minutes and turning it back on seemed to reset it. I wasn't sure if I had been hacked or if something was frozen in the software. Either way, I constantly monitor it.
Uninformative headline by Anonymous Coward · 2019-02-28 04:43 · Score: 0

I must say, even though I'm generally fairly well informed about what's going on in this field, I was left scratching my head over WTF an "Amazon Ring" was, and in what way such a thing could have some sort of vulnerability. One extra word ("doorbell") would've cleared that right up (fortunately it's in the summary).
I'm sure that headline, as it is, is completely meaningless for a lot more people.
Amazon by sadafba786 · 2019-03-06 06:09 · Score: 1

To maximize the power of your product listing , ensure that the negative reviews or the complete lack of reviews is taken care of on your listing page. Both are equally lethal!