Amazon has finally gotten around to providing a fix for a security problem with its Ring Video Doorbell product that potentially left many users’ accounts, connected devices, and even Wi-Fi credentials exposed. That’s according to recent reports following a disclosure drawn up by Bitdefender researchers who found the problem.
The Ring Video Doorbell was mostly secure, the researchers say. That’s because it sends information straight through Amazon’s API endpoints and locally without exposing services.
But it was also completely unprotected during setup. Worse, users might not notice if the device was reset because the doorbell, aside from video and connected services, would still work.
Bad actors could potentially take advantage of that to send code repeatedly to the device to force it to require reauthentication. In effect, users would have to re-enter and set up their Wi-Fi access. The credentials for the network were sent between device and app over an unsecured local network.
That left the credentials, sent in plain text, open to snooping by nearby attackers. An attacker who gained access to those could potentially read other traffic sent over the network. Conversely, that access potentially helps an attacker take over other devices on the network too.
The timeline for the Ring Doorbell fix is alarming
Bitdefender also offers a timeline for the steam of events leading up to the patch. That may not be great news for Amazon since, according to Bitdefender, the problem was first relayed to Amazon some time ago.
It provided the online retail and shipping giant with those details over a secured communications channel back in June. Bitdefender followed that with a report via the HackerOne bug bounty program as far back as July 18.
The researchers at Bitdefender attempted to follow up on its report with Amazon’s Ring division just a couple of weeks later. Amazon didn’t respond to that but marked the inquiry as a duplicate without further details. That wasn’t until August 16.
Amazon didn’t start rolling out a partial fix for the security issue until early September. And it wasn’t until November 7 that the fix was far enough along and rolled out for full public disclosure. That means consumers were potentially vulnerable to attack from effectively mid-June through just a few days ago.
The Ring Video Doorbell is among the more popular options when it comes to video doorbells and smart home products, in general. So the newly-disclosed situation presents a clear problem for the company and its image.
Amazon’s statement on the matter & checking that your device is up-to-date
A spokesperson for Ring has reportedly responded to reinforce its stance on the security of its devices. Customer trust is important to the company and so is the security of its products, the company says. So the update has now been applied automatically and the issue has “since been patched.”
This is not the first time the Amazon-owned has needed to rapidly address concerns about its products. This particular issue does seem to be more far-reaching and potentially more damaging. So although users should have already received the Ring Doorbell security fix, it may be a good idea for users to check to be sure.
To look at whether a Ring Video Doorbell is up-to-date, Amazon’s support pages state that users need to first open the Ring app. After selecting the appropriate device on the app’s home page, users need to navigate to the “Device Health” section. That’s located near the bottom.
In the “Device Details” menu, Amazon’s app shows whether or not a device is up to date there, under “Firmware.”