Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Media Technology

Serious Amazon Ring Vulnerability Leaves Audio, Video Feeds Open To Attack (betanews.com) 43

Mark Wilson shares a report from BetaNews: Security researchers from Dojo by Bullguard have discovered a vulnerability in Amazon's Ring doorbell that leaves it prone to man-in-the-middle attacks. As well as enabling a hacker to access audio and video feeds in a severe violation of both privacy and security, the vulnerability also means that an attacker could replace a feed with footage of their own. Revealing the security flaw at Mobile World Congress, Yossi Atias from Dojo, demonstrated how a feed could be hijacked and injected with counterfeit video. The vulnerability poses a number of risks. The ability to spy on audio and video feeds has obvious privacy implications, but it could also enable a hacker to monitor comings and goings to determine when a house will be empty. Using easily-available tools, it is possible to intercept Ring's RTP stream and extract a viewable MPEG video.
This discussion has been archived. No new comments can be posted.

Serious Amazon Ring Vulnerability Leaves Audio, Video Feeds Open To Attack

Comments Filter:
  • Bezos: We wants it, we needs it. Must have the precious.
  • by Solandri ( 704621 ) on Wednesday February 27, 2019 @08:36PM (#58191704)
    The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.

    Unfortunately, the VPN server part of that is rather challenging to set up. People are lazy / technically challenged. These device manufacturers have to cater to the lowest common denominator, which means they need a way for these devices to work even for the laziest and most clueless buyer. So they make these devices connect to their server over the Internet. (Not that they mind, since it allows them to collect usage data.) Your phone, tablet, or laptop then connects to their servers, when then hands off the connection to your home device. But because you're now trusting a third party, that exposes you to all sorts of attacks by the Internet at large.
    • by SeaFox ( 739806 )

      The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.

      Isn't part of the issue with these device that they are not self-contained products? Their capabilities are tied into remote servers (and services) that the customer does not control. People go to a central website and use apps that route through a corporate mothership mainly to get around the end user being on DHCP internet service and behind consumer networking equipment. Part of that is by design, can't charge a monthly fee for them if they are capable of working without internet access.

      I know DDNS is pr

      • by tlhIngan ( 30335 )

        Isn't part of the issue with these device that they are not self-contained products? Their capabilities are tied into remote servers (and services) that the customer does not control. People go to a central website and use apps that route through a corporate mothership mainly to get around the end user being on DHCP internet service and behind consumer networking equipment. Part of that is by design, can't charge a monthly fee for them if they are capable of working without internet access.

        I know DDNS is pr

        • by SeaFox ( 739806 )

          You can get standalone DVRs that don't require the cloud at all. But then you know what? People misconfigure them and they get exposed all over the internet. Either with default credentials so everyone can spy on what the cameras see, or as typical with these devices, they get exploited and become a part of a massive botnet that DDoS's infrastructure.

          I think a lot of the blame there goes to the writers of the firmware for those devices. The security issues and backdoors are many times baked in as part of testing and not removed before production, or left in to allow support people an easy backdoor to avoid the "well, you locked yourself out, you'll have to hard reset that and lose all your data" convo.

          With those stand-alone devices, more of the legwork with setup is expected on the customer side, too. So we're back to "limited support, or limit autonomy

    • by Tom ( 822 )

      In general I agree.

      But a security device should have Internet access, because that is a secure storage for its data. If it would stream to a desktop machine inside the house, then in case of a burglary chances are good that this computer is gone.

    • by AmiMoJo ( 196126 )

      Standard HTTPS with a pinned certificate would have been fine for this application, but they didn't even manage to do that. Quite incredible levels of incompetence for such a big company with massive cloud infrastructure.

      I don't really understand Ring though. If I'm in I'll answer it, if I'm not there isn't much I can do anyway and anyone important will leave a card. So why do I need it?

  • From the very end of the linked article:

    "Important note: Ring has patched this vulnerability in version 3.4.7 of the ring app (Without notifying users in the patch notes!). Please make sure to upgrade to a newer version ASAP as the affected versions are still backward compatible and vulnerable."

    (I think I'm beginning to understand that whole "read the last page first" philosophy.)

  • To maximize the power of your product listing [urtasker.com] , ensure that the negative reviews or the complete lack of reviews is taken care of on your listing page. Both are equally lethal!

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...