leowolfert - stock.adobe.com
A vulnerability in Amazon’s Ring Video Doorbell Pro internet of things (IoT) devices that could have enabled hackers to target victims with man-in-the-middle attacks has finally been patched several months after it was first spotted, according to threat researchers at Bitdefender.
Bitdefender found that the Ring Video Doorbell Pro’s companion smartphone app sent wireless network credentials to the device in plain HTTP language during the set-up and configuration stage. Bitdefender said the flaw meant there was chance that an attacker could trick the user into believing the doorbell was malfunctioning by repeatedly targeting the device with de-authentication messages so that it was dropped from the Wi-Fi network.
To restore full functionality, the user would then have to reconfigure the device, at which point their credentials would be exposed.
“The de-authentication process is simple,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender. “A Wi-Fi de-authentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point. The Wi-DFi protocol contains a ‘de-authentication frame’ that informs a recipient (in this case, the doorbell) that they have been disconnected from the base station
“Attackers can send these de-authentication frames at any time to a wireless device. Once the device loses its ‘heartbeat’, it automatically enters configuration mode.”
Subsequent communications to Amazon’s cloud services use HTTPS when verifying server certificates, making such attacks impossible beyond the configuration stage, but if the Wi-Fi credentials had been successfully intercepted, the attacker could then interact with any device connected to the network, intercept traffic, access local storage such as consumer NAS drives to steal data, exploit vulnerabilities to take control of other connected devices, or access IP security cameras.
“Unfortunately, there is little users can do to protect themselves against vulnerabilities in IoT devices,” said Botezatu.
“Amazon was extremely open to investigate the report and offer a fix for the issue in a timely manner. We stayed in touch during the vulnerability window and coordinated the disclosure to make sure that vulnerable devices are patched before publishing our findings.”
Read more about IoT security
- Focusing the right people, processes and technology on IoT cyber security is a win-win; it can improve security operations and the success of IoT initiatives.
- Security concerns are preventing many businesses from adopting IoT-based technologies, but with a bit of planning, the business benefits can be realised by mitigating the risk.
- Identity is key to security, but ensuring identity of all the things in an IoT deployment can be challenging. Intertrust's Bill Horne explains how PKI can help manage this complexity.
Bitdefender said it first approached Amazon on 20 June 2019 and was given a PGP key so it could send details of the vulnerability over a secure channel. It was then invited to report via Amazon’s HackerOne bug bounty programme. After some back and forth between the two, a partial fix was deployed on 5 September.
“All Ring Doorbell Pro cameras have received a security update that fixes the issue described,” said Bitdefender in its disclosure. “We appreciate the Ring team’s efforts to mitigate the issue and keep their customers safe.”
This is the second time in recent months that IoT products associated with Amazon have hit the headlines for reasons pertaining to end-user security, highlighting wider industry worries over the safety of IoT devices.
In October, ESET warned that many Amazon Echo and Kindle devices remained open to a different Wi-Fi vulnerability, a Key Reinstallation Attack (Krack attack), which also targets network credentials by exploiting the four-way handshake in the WPA2 wireless security protocol that executes when devices attempt to join protected wireless networks.
A Krack attack enables the attacker to trick a device into reinstalling a key that is already in use by another device, enabling them to gain visibility of data packets crossing the network.
However, like the Ring configuration flaw, successful execution requires the attacker to be physically close to the victim’s network, which means exploits in the wild have been minimal, if they have happened at all.
Nevertheless, the fact that so many devices remain open to a flaw first identified over two years ago serves as a timely reminder for end-users to make sure they patch their devices at the first opportunity.