Serious Amazon Ring Vulnerability Leaves Audio, Video Feeds Open To Attack (betanews.com) 43
Mark Wilson shares a report from BetaNews: Security researchers from Dojo by Bullguard have discovered a vulnerability in Amazon's Ring doorbell that leaves it prone to man-in-the-middle attacks. As well as enabling a hacker to access audio and video feeds in a severe violation of both privacy and security, the vulnerability also means that an attacker could replace a feed with footage of their own. Revealing the security flaw at Mobile World Congress, Yossi Atias from Dojo, demonstrated how a feed could be hijacked and injected with counterfeit video. The vulnerability poses a number of risks. The ability to spy on audio and video feeds has obvious privacy implications, but it could also enable a hacker to monitor comings and goings to determine when a house will be empty. Using easily-available tools, it is possible to intercept Ring's RTP stream and extract a viewable MPEG video.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So, you're right. Let me just get that right out in the open first, because you're right even though you probably won't get any up-mods for it.
But as I'm reading this it strikes me as problematic in the way you've presented your argument. I keep hearing the words of others echoing in my head, telling me that I was too biased to be heeded when I tried to protect them in this manner.
So you (both of us, really) have to figure out a way to make this argument sound like it is coming from someone rational and u
Re:Good news! (Score:4, Interesting)
Re: (Score:1)
Get even. Play a high quality porno loop , pretending its from your camera. Might even make you a few new friends, and give the watchers something to do.
Re: (Score:2)
Re: (Score:2)
Realy Everyone? OK, Let Me Be the First to Post It (Score:2)
These things really should be using a VPN (Score:3)
Unfortunately, the VPN server part of that is rather challenging to set up. People are lazy / technically challenged. These device manufacturers have to cater to the lowest common denominator, which means they need a way for these devices to work even for the laziest and most clueless buyer. So they make these devices connect to their server over the Internet. (Not that they mind, since it allows them to collect usage data.) Your phone, tablet, or laptop then connects to their servers, when then hands off the connection to your home device. But because you're now trusting a third party, that exposes you to all sorts of attacks by the Internet at large.
Re: (Score:3)
The proper way to implement these devices is to allow them to only communicate on the LAN. No attempts to connect to the Internet, no receiving instructions from the Internet. To access them away from your home, you set up a VPN sever on your home router. Your phone, tablet, or laptop then connects to that VPN, making it appear as if it's connected to your home LAN, and thus giving you access to all these devices on your LAN.
Isn't part of the issue with these device that they are not self-contained products? Their capabilities are tied into remote servers (and services) that the customer does not control. People go to a central website and use apps that route through a corporate mothership mainly to get around the end user being on DHCP internet service and behind consumer networking equipment. Part of that is by design, can't charge a monthly fee for them if they are capable of working without internet access.
I know DDNS is pr
Re: (Score:2)
Re: (Score:2)
You can get standalone DVRs that don't require the cloud at all. But then you know what? People misconfigure them and they get exposed all over the internet. Either with default credentials so everyone can spy on what the cameras see, or as typical with these devices, they get exploited and become a part of a massive botnet that DDoS's infrastructure.
I think a lot of the blame there goes to the writers of the firmware for those devices. The security issues and backdoors are many times baked in as part of testing and not removed before production, or left in to allow support people an easy backdoor to avoid the "well, you locked yourself out, you'll have to hard reset that and lose all your data" convo.
With those stand-alone devices, more of the legwork with setup is expected on the customer side, too. So we're back to "limited support, or limit autonomy
Re: (Score:2)
In general I agree.
But a security device should have Internet access, because that is a secure storage for its data. If it would stream to a desktop machine inside the house, then in case of a burglary chances are good that this computer is gone.
Re: (Score:2)
Standard HTTPS with a pinned certificate would have been fine for this application, but they didn't even manage to do that. Quite incredible levels of incompetence for such a big company with massive cloud infrastructure.
I don't really understand Ring though. If I'm in I'll answer it, if I'm not there isn't much I can do anyway and anyone important will leave a card. So why do I need it?
Important note: It's patched. (Score:2)
From the very end of the linked article:
"Important note: Ring has patched this vulnerability in version 3.4.7 of the ring app (Without notifying users in the patch notes!). Please make sure to upgrade to a newer version ASAP as the affected versions are still backward compatible and vulnerable."
(I think I'm beginning to understand that whole "read the last page first" philosophy.)
Amazon (Score:1)
To maximize the power of your product listing [urtasker.com] , ensure that the negative reviews or the complete lack of reviews is taken care of on your listing page. Both are equally lethal!