Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Amazon Ring Vulnerability Leaves Audio, Video Feeds Open To Attack (betanews.com)

Posted by BeauHD on from the ready-for-the-taking dept.

Mark Wilson shares a report from BetaNews: Security researchers from Dojo by Bullguard have discovered a vulnerability in Amazon's Ring doorbell that leaves it prone to man-in-the-middle attacks. As well as enabling a hacker to access audio and video feeds in a severe violation of both privacy and security, the vulnerability also means that an attacker could replace a feed with footage of their own. Revealing the security flaw at Mobile World Congress, Yossi Atias from Dojo, demonstrated how a feed could be hijacked and injected with counterfeit video. The vulnerability poses a number of risks. The ability to spy on audio and video feeds has obvious privacy implications, but it could also enable a hacker to monitor comings and goings to determine when a house will be empty. Using easily-available tools, it is possible to intercept Ring's RTP stream and extract a viewable MPEG video.

17 of 43 comments (clear)

  1. Re:Waiting for the exploit by adrn01 · · Score: 1

    Flashing for the lazy,no need to even leave the house now: "Ding-dong!" --> "Long-dong!!!"

  2. Re:Yawn ... connected crap is crap ... by b0s0z0ku · · Score: 1

    Get a cloudfree camera and internal DVR. Same functionality without you paying to contribute to the massive surveillance networks Scumazon and Scroogle are building.

  3. Re:Good news! by b0s0z0ku · · Score: 3, Interesting

    Frankly, I don't want cloud storage as an option, unless it's encrypted with my own keypair. I don't want to buy a camera, then pay monthly for the privilege of contributing to Amazon's outsourced surveillance network.

  4. Re:Yawn ... connected crap is crap ... by JaredOfEuropa · · Score: 1

    I got a Doorbird instead. Is it more secure than the Ring? Doubtful. But it can run off the cloud if you want it to, with a little effort. The camera stream is available as RTSP, and the video intercom function supports SIP. My Doorbird is firewalled and talks to a home DVR system and Asterisk server. Same functionality, off the cloud, and will keep working if the company goes the way of the dodo.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  5. Re: Jokes on them! by edris90 · · Score: 1

    That's fair enough those who don't accept security is just posturing, role-based countless dollars and time on a fruitless task, when they could have adjusted their life to function from a philosophy of everyone's going to know anyway. There are two ways to solve the problem. Eliminate it. And this case that one is a lost cause. The second way to solve a problem is to adjust your underlying system of operation to count on these sort of things happening and plan on not being able to predict when so that you are motivated to prepare and when it happens are not traumatized by it. Similar to how we learn not to cry and freak out just cuz it's raining on a day we want to play outside we learned to accept that sometimes it's going to rain. And we plan and prepare for it so that we don't have to care when it does.

  6. Re:Yawn ... connected crap is crap ... by Narcocide · · Score: 2

    So, you're right. Let me just get that right out in the open first, because you're right even though you probably won't get any up-mods for it.

    But as I'm reading this it strikes me as problematic in the way you've presented your argument. I keep hearing the words of others echoing in my head, telling me that I was too biased to be heeded when I tried to protect them in this manner.

    So you (both of us, really) have to figure out a way to make this argument sound like it is coming from someone rational and unbiased, but still knowledgeable. I've tried leaving out the emotionally-charged rhetoric and just piling on raw facts, but then this same archetypal person will just assume I'm trying to bamboozle them with complicated words, instead.

    So, seriously here. How do we get this same point across when we're not preaching to the choir?

  7. Re:You mean.. by LifesABeach · · Score: 1

    Depends?

  8. Realy Everyone? OK, Let Me Be the First to Post It by LifesABeach · · Score: 1

    Bezos: We wants it, we needs it. Must have the precious.

  9. These things really should be using a VPN by Solandri · · Score: 2

    The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.

    Unfortunately, the VPN server part of that is rather challenging to set up. People are lazy / technically challenged. These device manufacturers have to cater to the lowest common denominator, which means they need a way for these devices to work even for the laziest and most clueless buyer. So they make these devices connect to their server over the Internet. (Not that they mind, since it allows them to collect usage data.) Your phone, tablet, or laptop then connects to their servers, when then hands off the connection to your home device. But because you're now trusting a third party, that exposes you to all sorts of attacks by the Internet at large.

    1. Re:These things really should be using a VPN by SeaFox · · Score: 2

      The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.

      Isn't part of the issue with these device that they are not self-contained products? Their capabilities are tied into remote servers (and services) that the customer does not control. People go to a central website and use apps that route through a corporate mothership mainly to get around the end user being on DHCP internet service and behind consumer networking equipment. Part of that is by design, can't charge a monthly fee for them if they are capable of working without internet access.

      I know DDNS is pretty easy and many home routers even offer built-in VPN servers, but that's still a bunch of outside config that is beyond the technical abilities of most of the people these companies want to target.

    2. Re:These things really should be using a VPN by Tom · · Score: 1

      In general I agree.

      But a security device should have Internet access, because that is a secure storage for its data. If it would stream to a desktop machine inside the house, then in case of a burglary chances are good that this computer is gone.

      --
      Assorted stuff I do sometimes: Lemuria.org
    3. Re:These things really should be using a VPN by AmiMoJo · · Score: 1

      Standard HTTPS with a pinned certificate would have been fine for this application, but they didn't even manage to do that. Quite incredible levels of incompetence for such a big company with massive cloud infrastructure.

      I don't really understand Ring though. If I'm in I'll answer it, if I'm not there isn't much I can do anyway and anyone important will leave a card. So why do I need it?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:These things really should be using a VPN by tlhIngan · · Score: 1

      Isn't part of the issue with these device that they are not self-contained products? Their capabilities are tied into remote servers (and services) that the customer does not control. People go to a central website and use apps that route through a corporate mothership mainly to get around the end user being on DHCP internet service and behind consumer networking equipment. Part of that is by design, can't charge a monthly fee for them if they are capable of working without internet access.

      I know DDNS is pretty easy and many home routers even offer built-in VPN servers, but that's still a bunch of outside config that is beyond the technical abilities of most of the people these companies want to target.

      You can get standalone DVRs that don't require the cloud at all. But then you know what? People misconfigure them and they get exposed all over the internet. Either with default credentials so everyone can spy on what the cameras see, or as typical with these devices, they get exploited and become a part of a massive botnet that DDoS's infrastructure.

      Standalone machines also typically don't have as robust auto-update features for software updates so users will typically forget to update.

      It's really a pick your poison sort of deal.

    5. Re:These things really should be using a VPN by SeaFox · · Score: 1

      You can get standalone DVRs that don't require the cloud at all. But then you know what? People misconfigure them and they get exposed all over the internet. Either with default credentials so everyone can spy on what the cameras see, or as typical with these devices, they get exploited and become a part of a massive botnet that DDoS's infrastructure.

      I think a lot of the blame there goes to the writers of the firmware for those devices. The security issues and backdoors are many times baked in as part of testing and not removed before production, or left in to allow support people an easy backdoor to avoid the "well, you locked yourself out, you'll have to hard reset that and lose all your data" convo.

      With those stand-alone devices, more of the legwork with setup is expected on the customer side, too. So we're back to "limited support, or limit autonomy", as you said.

  10. Re:Good news! by Anonymous Coward · · Score: 1

    Get even. Play a high quality porno loop , pretending its from your camera. Might even make you a few new friends, and give the watchers something to do.

  11. Important note: It's patched. by zarmanto · · Score: 1

    From the very end of the linked article:

    "Important note: Ring has patched this vulnerability in version 3.4.7 of the ring app (Without notifying users in the patch notes!). Please make sure to upgrade to a newer version ASAP as the affected versions are still backward compatible and vulnerable."

    (I think I'm beginning to understand that whole "read the last page first" philosophy.)

  12. Amazon by sadafba786 · · Score: 1

    To maximize the power of your product listing , ensure that the negative reviews or the complete lack of reviews is taken care of on your listing page. Both are equally lethal!