Security researchers have found that data streams from Amazon-Owned Ring doorbell’s app can be easily compromised.
In a blog post on hardware security company Dojo’s website, cybersecurity expert Or Cyngiser outlined the issue: using a specialized security assessment tool called VideoSnarf, he and a team of researchers were able to extract and inject video and audio information as it transferred from the Ring doorbell to its app.
That’s a big problem: criminals could target Ring doorbells to gather sensitive information about potential targets.
“The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed,” Cyngiser wrote. “It would make for a particularly easy burglary. Spying on the doorbell allows for gathering of sensitive information — household habits, names and details about family members including children, all of which make the target an easy prey for future exploitation.”
The researchers even demonstrated that they could inject their own video and audio feed, Oceans 11 style, on stage at the Mobile World Congress in Barcelona.
“We developed a [proof of concept], whereby we first captured real footage in a so-called ‘recon mode,’” reads the blog post. “Then, in ‘active mode’ we can drop genuine traffic and inject the acquired footage.”
The hack was completely untraceable, the team said.
It’s not the first time Amazon’s Ring doorbell has landed in hot water over security issues. In May 2018, The Conversation reported that Ring customers remained logged in even after changing the password to access the device.
Ring scrambled and released an over-the-air update yesterday.
But users who haven’t downloaded the update, according to Cyngiser, are still vulnerable.
“Letting the babysitter in while kids are at home could be a potentially life threatening mistake,” Cyngiser wrote.
READ MORE: One Ring to rule them all, and in darkness bind them [Dojo]