At Amazon‘s subsidiary Ring, a security vulnerability was discovered that allowed the company to manipulate the combination of doorbell and surveillance camera, which Amazon advertised with the slogan “With Ring you’ll always be the first to know if you have a visitor”.
The security company Dojo by Bullguard has found a security hole that allows attackers to read the video footage from the ring camera and even exchange it. It is so possible that the transmission of the door camera, which the owner receives via smartphone app, is read out and even exchanged before sending. In practice, an attacker could first record a video of a trustworthy person and later use the video to gain access to the apartment himself.
Encryption incorrectly implemented
According to Dojo, this is possible because Ring uses its own encryption method instead of the standard encryption of the Internet telephony protocol SIP/RTP, which could be circumvented by the security experts. In order to exploit the security hole, however, attackers need access to the data packets of the ring camera, which they can obtain, for example, if they are in the same WLAN.
Golem.de has meanwhile received information from Ring that the security hole has been closed in the latest software version. Since the software does not update itself automatically, all owners of Ring hardware should perform the update manually as soon as possible.