X

Ring doorbells had vulnerability leaking Wi-Fi login info, researchers find

Amazon's video doorbell sees who's at your doorstep. For months, anyone on its open network could have seen your username and password.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
how-to-ring-10

Ring video doorbells had a vulnerability that allowed hackers to view your Wi-Fi password.

Chris Monroe/CNET

People buy RIng's video doorbells to bring a sense of safety to their homes, but a software flaw left their network's security wide open, researchers said. The flaw, disclosed Thursday, would have allowed potential attackers to steal a Ring owner's Wi-Fi username and password, according to cybersecurity company Bitdefender

The security company first informed Ring's parent company about the issue in June, and released a fix for the vulnerability in an automatic update in September, the researchers said. 

Ring is a video doorbell company owned by Amazon , which bought it for $839 million in February 2018. It has partnered with at least 587 police departments across the country, offering law enforcement access to an impromptu surveillance network in residential neighborhoods. 

Privacy advocates have raised concerns about Ring's close ties to police, pointing out issues with civilian-backed surveillance, along with potential hacks on the internet-connected devices.

Watch this: Police have your Ring footage. They're not the only ones looking at it

This isn't the first time Ring has had a vulnerability in its video doorbells. In 2016, security researchers from Pen Ten Partners found flaws with Ring's doorbell that would allow potential hackers to steal Wi-Fi passwords. The company issued a fix, but that wasn't the end of the story. In February, security firm Dojo Bullguard hacked a Ring doorbell in real time at Mobile World Congress, allowing an attacker to view footage from the device's video feed. 

And now comes the vulnerability disclosed by Bitdefender on Thursday. 

"Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it's since been patched," Ring said in a statement.

The vulnerability happens in the video doorbell's communications with Ring's app. When you first set up your Ring device, the app needs to send your Wi-Fi network's login information to the doorbell. 

It had been sending this sensitive information over an unencrypted network, which meant that anyone viewing that network could have seen your username and password for your Wi-Fi. The potential hacker would have to be within range of your Wi-Fi to carry out this attack.

While this attack can only take place during the video doorbell's setup process, a hacker could also send fake messages to the person to trick them into setting up the doorbell again, the researchers said.

16 smart doorbells to watch over your front stoop

See all photos

Originally published Nov. 7, 7:01 a.m. PT.
Update, 10:47 a.m.: Includes comment from Ring.