Amazon's Ring Doorbells Caught Broadcasting Wi-Fi Passwords In Cleartext To Hackers
Researchers from Bitdefender uncovered that when initially setting up a Ring doorbell with the smartphone app, a customer's Wi-Fi credentials are transmitted via an unprotected access point while in configuration mode. Once the doorbell has received all the necessary information from the app and your smartphone to complete its configuration process, it then transmits its credentials to your local Wi-Fi network so that it can connect and gain access to the internet.
The problem comes with the fact that the exchanges between your smartphone and the doorbell, and then between the doorbell and your Wi-Fi network are transmitted through plain HTTP. This leaves that information exposed to anyone that could be nearby that is snooping for Wi-Fi credentials.
Now to be clear, the initial setup of a Ring doorbell should be a one-time thing, which means that the attack window would have be incredibly specific, and it would be short-lived. This is where the deception comes into play. Through a process called deauthentication perpetrated by the hacker, the doorbell will begin to act erratically, the Live View button will become greyed out, and the device itself will eventually show as being offline. At this point, reconfiguration is necessary.
With reconfiguration comes the process mentioned above where the app has to be used to authenticate the doorbell -- again sending your Wi-Fi password in plaintext. "Meanwhile the attacker is sniffing all the packets, waiting for the plaintext credentials to be sent to the device," writes Bitdefender.
Luckily, Bitdefender first contacted Amazon about its findings in June and after some back and forth with the company, a proper fix was identified and was deployed to affected products in September. The security researchers didn't disclose the vulnerability until now after all of the affected hardware was patched.