Serious Amazon Ring vulnerability leaves audio and video feeds open to interception and spoofing
Security researchers from Dojo by Bullguard have discovered a vulnerability in Amazon's Ring doorbell that leaves it prone to man-in-the-middle attacks.
As well as enabling a hacker to access audio and video feeds in a severe violation of both privacy and security, the vulnerability also means that an attacker could replace a feed with footage of their own. Revealing the security flaw at Mobile World Congress, Yossi Atias from Dojo, demonstrated how a feed could be hijacked and injected with counterfeit video.
The vulnerability poses a number of risks. The ability to spy on audio and video feeds has obvious privacy implications, but it could also enable a hacker to monitor comings and goings to determine when a house will be empty.
Using easily-available tools, it is possible to intercept Ring's RTP stream and extract a viewable MPEG video.
Exploiting the vulnerability is worrying simple, as Dojo explains:
Dojo's cybersecurity experts were able to gain access to the application traffic without difficulty and noted that if the Ring owner is at home, Wi-Fi access -- either cracking weak encryption (if present) or exploiting another smart home device is needed. When the owner is in transit, a hacker can open a rogue Wi-Fi connection near the owner and wait for them to join, or join a common public network. Once sharing a network, a simple ARP spoof allows the hacker to capture Ring data traffic before passing it on to the mobile app, and certain 3G/4G configurations may allow intra-network poisoning as well. Encrypting the upstream RTP (Real-Time Transport Protocol) traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP (Session Initiation Protocol) transmission will not thwart stream interception.
As demonstrated at MWC, and explained in a blog post, there are also implications stemming from the ability to inject video footage into a stream. If away from home, a Ring owner could be fooled into believing that a trusted person was at the door who could then be let in remotely.
Dojo has opted for responsible disclosure of the vulnerability, and it has been patched in version 3.4.7 of the Ring software -- users just need to make sure that they have updated to this version to ensure their safety.