Amazon’s Ring Video Doorbell Pro broadcasted home wi-fi passwords unencrypted

Amazon recently rolled out a security patch for its hugely popular Ring Video Doorbell Pro after security researchers found it was broadcasting wi-fi network credentials in the clear, potentially allowing nearby attackers to intercept the credentials and compromise the household network.   

The bug is yet another lesson in the security problems that people who connect up smart home gadgets could face more often in the future. It also comes as Amazon works to make setting up smart home gadgets simpler for consumers via its Certified for Humans program announced in September. 

The company has a lead over Apple and Google in the smart home market thanks to Alexa and its Echo devices, with some 85,000 Alexa compatible smart home gadgets.  

The Ring Video Doorbell Pro is one of the tech giant’s smart doorbell and surveillance systems, which features a camera, mic, speaker and a phone app that lets users talk with visitors at the door. Amazon sells the smart door bell for $399 on its Australian domain.  

Researchers at security firm Bitdefender earlier this year found that wi-fi network credentials can be leaked during the setup process employed by the smart door bell. 

While it normally communicates with Amazon’s cloud services over encrypted HTTPS channels, the initial configuration between the phone and the door bell is not, giving attackers within wi-fi range the opportunity to sniff packets being sent between the phone app and the smart door bell, waiting for network credentials to be broadcast.  

“When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point,” Bitdefender researchers explain.  

“When entering configuration mode, the [smart door bell] creates an access point without a password (the SSID contains the last three bytes from the MAC address).” 

However after the network is up, the app connects to it automatically and then sends the credentials to the local network. 

“All these exchanges are performed through plain HTTP. This means the credentials are exposed to any nearby eavesdroppers,” they added. 

At this stage, an attacker could capture the wi-fi network credentials, however to exploit the bug an attacker would need to trick the user into reconfiguring the device so that the phone app sends the network credentials over HTTP again. 

An attacker could achieve this by sending multiple de-authentication messages to force the device to be dropped from the wireless network, thus forcing the target to reconfigure the device and transmit network credentials in the plaintext that can be captured by network sniffing tools. 

Bitdefender says it reported the issue to Amazon through the HackerOne bug bounty program in July and Amazon began deploying the patch in early September.