Announcement

Collapse
No announcement yet.

Ring Doorbells used? HTTP to pass credentials unencrypted

Collapse
X
Collapse
  •  

  • Ring Doorbells used? HTTP to pass credentials unencrypted


    Amazon supposedly fixed this security vulnerability as reported here:




     




    https://threatpost.com/amazon-fixes-...ntials/150029/




     




    Quote





    The key issue with Ring exists in how users first configure the device, which requires the device’s smartphone app to use a wireless connection to send the wireless network credentials to the smart doorbell, researchers said.




    “This takes place in an unsecure manner, through an unprotected access point,” researchers wrote. “When entering configuration mode, the device creates an access point without a password (the SSID contains the last three bytes from the MAC address).”






     




    I have had an IoT device and based on how bad the security was on that, I've sworn off all IoT until companies can figure out that patching, security and not being first to market are important.




     




    If you ever change your network, or lets say the average user:




    - gets a new internet service provider




    - gets the default wifi router with their service




    - has to change the password as most do




    - doesn't pick secure passwords, and doesn't care




     




    They would be open to all sorts of attacks.




     




    Quote





    While no Amazon Ring users at this point appeared to have been affected by the flaw, there was some considerable lag time between Bitdefender’s first disclosure of the problem to the company on June 20 and Amazon’s patch and coordinated disclosure of the flaw on Nov. 7.






    Bitdefender found the flaw.




     




    Here's another article that is more brief:




     




    https://techcrunch.com/2019/11/07/am...-wifi-hackers/




     




    Quote





    Amazon has faced intense scrutiny in recent months for Ring’s work with law enforcement.






     




    The link above from the quote showed how Ring wanted to allow law enforcement agencies to hack your doorbell so they could see crimes, but what would stop the law enforcement from rifling around in your network if they wanted too.




     




    That's in addition to this:




    https://www.theatlantic.com/ideas/ar...e-news/588394/




     




    Where Ring wanted to hire a reporter to report on crime so they could raise fear and make people buy more ring devices.




     




    I think that's three strikes.



    More...
      Posting comments is disabled.

    Categories

    Collapse

    Article Tags

    Collapse

    Latest Articles

    Collapse

    Working...
    X