Ring Video Door Bell WiFi Leakage

The following article is only opinion based and should be read as fact. 

Kudos to the manufacture for addressing and fixing the problem described. There speed to addressing and fixing the problem automatically to all active devices is an example of how IoT device manufactures should operate. For more info see their  blog at http://blog.ring.com/index.php/2016/01/13/100-of-active-ring-video-doorbells-keep-your-wi-fi-password-secure/

Wi-Fi Enabled Video Doorbells, allows users to monitor your doors from your smartphone or tablet! Using push notification, it chimes on all of your connected devices when you have a visitor. You can monitor your doors from upstairs or across the world. Multiple sensors, night vision, and motion detection make it a great tool.

ring-doorbell-IoT-WiFiLeak-1

I first discovered this vulnerability in early November. The manufacture had already been working on a fix for the problem. The issue was fixed earlier this year, and disclosed to the public by several groups. The manufacture was excellent in their communications, and addressing the problem as quickly as possible.

To the best of my knowledge the problem was first discovered in March of 2015. Click here for more info

ring-doorbell-IoT-WiFiLeak-2

 

Wi-Fi Enabled Video Doorbells, allows users to monitor your doors from your smartphone or tablet! Using push notification, it chimes on all of your connected devices when you have a visitor. You can monitor your doors from upstairs or across the world. Multiple sensors, night vision, and motion detection make it a great tool.

ring-doorbell-IoT-WiFiLeak-3

At the point, the device will ask you to hit the reset button at the back of the device. The Ring video bell will now setup a temporary hotspot, it will prompt you to connect your smartphone to the hotspot. At this point it will complete its registration which includes adding in your home/work network wireless SSID and password. The SSID requires no authentication.

The problem is the hotspot is available for not only the smartphone to access, but any device, including my Mac which you can see here:

ring-doorbell-IoT-WiFiLeak-4

Once I connected my laptop to the same SSID ring was advertising I noticed it gave my system a IP address of 192.168.240.34 with a class-c network mask.
ring-doorbell-IoT-WiFiLeak-5

I then ran a nmap scan on the network and discovered the only other device was the doorbell itself with an IP address of 192.168.1.1

ring-doorbell-IoT-WiFiLeak-6

After little discovery with using the smartphone app and wireshark I was able to discover a few URLs that looked interesting mostly:

http://192.168.240.1/gainspan/system/prov/ap_list

http://192.168.240.1/gainspan/system/config/network

The first URL contains a XML file that shows all the access-points

ring-doorbell-IoT-WiFiLeak-7

The second URL contained an XML file that contained the previous configuration, including network names and passwords.

ring-doorbell-IoT-WiFiLeak-8

How realistic is this attack? The attacker must have physical access to the video door bell, and they must be able to hold the reset button. Then they will have to connect to the Ring default SSID and get the previously stored network configuration.

If the network for the video doorbell is isolated than even if an attacker compromises the network, they will not have access to the network.

Furthermore, the actual vulnerability and method described here do not work because the manufacture had fixed the issue in early January.

Tags: