Doorbells manufactured by Ring were found to have a serious security vulnerability which could have allowed cybercriminals to conduct man-in-the-middle attacks.
According to an in-depth analysis by security firm Dojo, the RTP-based data feed implemented in Ring devices could be intercepted and extracted by attackers. On top of this, the feed can also be injected with false content after the device is accessed.
What’s at stake?
“Encrypting the upstream RTP traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP transmission does not thwart stream interception. When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.” suggested the report.
What action was taken
After the research was made public, Ring came up with an update. It has patched the flaw in version 3.4.7. of the ring app. "Customer trust is important to us and we take the security of our devices seriously. The issue in the Ring app was previously fixed and we always encourage customers to update their apps and phone operating systems to the latest versions," said the company spokesperson.
Users are advised to update their apps immediately to mitigate any risk associated with the vulnerability.