A new report from security researchers alleges that Amazon Ring doorbells have exposed users’ home Wi-Fi passwords to hackers.
TechCrunch reports that security researchers at Bitdefender have claimed that Amazon Ring doorbells were sending users Wi-Fi passwords in cleartext as the doorbell joins the home network. This would allow hackers to intercept the Wi-Fi password and gain access to users’ local network.
Bitdefender stated: “When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point. Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”
All of this happens over an unencrypted connection which exposes the Wi-Fi password being sent over the air. The vulnerability was reportedly fixed by Amazon in September but the vulnerability was only recently disclosed.
A Ring spokesperson provided the following statement to Breitbart News: “Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched.”
This is yet another vulnerability recently discovered in smart home devices, Breitbart News reported a team of researchers from Tokyo’s University of Electro-Communications and the University of Michigan recently claimed to have discovered a way to “hijack” voice-enabled devices by shining a laser at the microphones of the devices.
Breitbart News wrote at the time:
Researchers discovered that the most in some of the most popular smart speakers, a bright laser shined at the speaker’s microphone was interpreted as sound. The researchers wrote: “Thus, by modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio.”
The researchers tested smart-speakers from all major tech firms, the full list of devices includes: “Google Home, various Amazon Echo models, the Apple HomePod, and Facebook’s Portal speaker, which runs Alexa. They also tested an iPhone XR, a Samsung Galaxy S9, and a Google Pixel 2.”
The devices reportedly varied in how vulnerable they were to hijacking, but all were able to be hacked. Researchers found that they could hijack tablets, phones and speakers from some distance away, even hijacking a Google Home speaker from as far away as 110 meters.
Read the full report here.
Update — added a statement from Ring.