• The company which manufactures home security products is backed by e-commerce giant Amazon.
  • Its doorbell devices had a security bug enabling attackers to spy on customers’ video and audio footage.

Doorbells manufactured by Ring were found to have a serious security vulnerability which could have allowed cybercriminals to conduct man-in-the-middle attacks.

According to an in-depth analysis by security firm Dojo, the RTP-based data feed implemented in Ring devices could be intercepted and extracted by attackers. On top of this, the feed can also be injected with false content after the device is accessed.

Worth noting

  • Ring doorbells capture video as well as audio from households or other establishments and their surroundings.
  • This information could be the activity of family members, their names, location details etc.
  • The bug can allow anyone to snoop on video and audio footage by hacking the device with Videosnarf tool.

What’s at stake?

  • Access to private information related to family members can help attackers in conducting dangerous crimes such as burglary or even homicide.
  • Injecting false feed into these doorbells will cripple real-time security in the first place.

“Encrypting the upstream RTP traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP transmission does not thwart stream interception. When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.” suggested the report.

What action was taken

After the research was made public, Ring came up with an update. It has patched the flaw in version 3.4.7. of the ring app. "Customer trust is important to us and we take the security of our devices seriously. The issue in the Ring app was previously fixed and we always encourage customers to update their apps and phone operating systems to the latest versions," said the company spokesperson.

Users are advised to update their apps immediately to mitigate any risk associated with the vulnerability.

Cyware Publisher