Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network.
In case you don’t own one of these, Amazon’s Ring Video Doorbell is a smart wireless home security doorbell camera that lets you see, hear and speak to anyone on your property from anywhere in the World.
Ring Video Doorbell needs to be connected to your WiFi network, allowing you to remotely access the device from a smartphone app to perform all tasks wirelessly.
While setting up the device for the very first time and share your WiFi password with it, you need to enable the configuration mode from the Doorbell.
Entering into the configuration mode turns on a built-in, unprotected wireless access point, allowing the RING smartphone app installed on your device to automatically connect to the doorbell.
However, researchers told The Hacker News that besides using an access point with no password, the initial communication between the Ring app and the doorbell, i.e., when you share your home’s WiFi password with the doorbell, is performed insecurely through plain HTTP.
Thus, a nearby attacker can simply connect to the same unprotected wireless access point, while the setup in the process, and steal your WiFi password using a man-in-the-middle attack.
Since this attack can only be performed during the “one-time initial configuration” of the device, you might be wondering how an attacker can leverage this loophole after the device has already been configured.
Researchers suggested that by continuously sending de-authentication messages to the device, an attacker can trick the user into believing that the device is malfunctioning, so the user reconfigures it.
“One way to do this is to continuously send de-authentication messages, so that the device is dropped from the wireless network,” researchers explain.
“The live view button becomes greyed out and, when clicked, the app will suggest restarting the router or pressing the setup button twice on the doorbell. Pressing the button twice will trigger the device to try to reconnect to the network – an action that will fail. The last resort is to try and reconfigure the device.”
Once the owner enters into the configuration mode to re-share WiFi credentials, the attacker sniffing the traffic would capture the password in plaintext, as shown in the screenshot.
Bitdefender discovered this vulnerability in Ring Video Doorbell Pro devices in June this year and responsibly reported it to Amazon, but got no update from the company.
When requested for an update in late July, the vendor closed the vulnerability report in August and marked it as a duplicate without saying whether a third party already reported this issue. However, after some communication with the vendor, a fix for the vulnerability was partially deployed on September 5.