Slashdot Mirror
Serious Amazon Ring Vulnerability Leaves Audio, Video Feeds Open To Attack (betanews.com)
Mark Wilson shares a report from BetaNews: Security researchers from Dojo by Bullguard have discovered a vulnerability in Amazon's Ring doorbell that leaves it prone to man-in-the-middle attacks. As well as enabling a hacker to access audio and video feeds in a severe violation of both privacy and security, the vulnerability also means that an attacker could replace a feed with footage of their own. Revealing the security flaw at Mobile World Congress, Yossi Atias from Dojo, demonstrated how a feed could be hijacked and injected with counterfeit video. The vulnerability poses a number of risks. The ability to spy on audio and video feeds has obvious privacy implications, but it could also enable a hacker to monitor comings and goings to determine when a house will be empty. Using easily-available tools, it is possible to intercept Ring's RTP stream and extract a viewable MPEG video.
Frankly, I don't want cloud storage as an option, unless it's encrypted with my own keypair. I don't want to buy a camera, then pay monthly for the privilege of contributing to Amazon's outsourced surveillance network.
So, you're right. Let me just get that right out in the open first, because you're right even though you probably won't get any up-mods for it.
But as I'm reading this it strikes me as problematic in the way you've presented your argument. I keep hearing the words of others echoing in my head, telling me that I was too biased to be heeded when I tried to protect them in this manner.
So you (both of us, really) have to figure out a way to make this argument sound like it is coming from someone rational and unbiased, but still knowledgeable. I've tried leaving out the emotionally-charged rhetoric and just piling on raw facts, but then this same archetypal person will just assume I'm trying to bamboozle them with complicated words, instead.
So, seriously here. How do we get this same point across when we're not preaching to the choir?
The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.
Unfortunately, the VPN server part of that is rather challenging to set up. People are lazy / technically challenged. These device manufacturers have to cater to the lowest common denominator, which means they need a way for these devices to work even for the laziest and most clueless buyer. So they make these devices connect to their server over the Internet. (Not that they mind, since it allows them to collect usage data.) Your phone, tablet, or laptop then connects to their servers, when then hands off the connection to your home device. But because you're now trusting a third party, that exposes you to all sorts of attacks by the Internet at large.