Amazon patches Ring Video Doorbell vulnerability that could allow hackers to breach owner's Wi-Fi network

Ring vulnerability attributed to device's use of insecure HTTP rather than encrypted HTTPS

Amazon has released a fix for a vulnerability in its Ring Video Doorbell Pro device that enabled hackers to take control of users' Wi-Fi networks.

The vulnerability was discovered in June by security researchers at Bitdefender, who disclosed it to Ring through HackerOne bug bounty programme. A security patch for the bug was finally released by the vendor on 7^th November.

According to researchers, the vulnerability stems from the fact that anyone within the range of doorbell's Wi-Fi network could cause the doorbell to drop from the wireless network by sending some "deauthentication messages" to it.

Deauthentication allows a third party to mount the attack. This process causes the Ring app to send a notification to owner, who will then initiate the common troubleshooting measures to reset the doorbell.

Once the device is reset, it starts the process of pairing itself with the owner's Wi-Fi network. Because the exchange of information between the device and the app is performed via an unsecured HTTP connection, it enables a hacker within range of the Wi-Fi network to intercept the login details.

The patch released by Ring to mitigate the vulnerability ensures that the device uses an HTTPS connection while broadcasting a Wi-Fi signal for the phone to grab. The connection is also secured through a digital certificate, signed by the firm and validated by the app.

In a statement, Ring said that "customer trust is important" for the company and that it takes "the security of our devices seriously."

"We rolled out an automatic security update addressing the issue, and it's since been patched," Ring said.

Ring is a video doorbell maker that bought by Amazon last year for $839 million.

But this is not the first tim that security researchers have uncovered a vulnerability in Ring's devices.

In 2016, researchers at Pen Ten Partners discovered bugs in Ring's doorbell that allowed hackers to steal Wi-Fi passwords.

In February, cyber security firm Bullguard demonstrated live hacking of Ring doorbells at Mobile World Congress, which enabled Bullguard's team to view footage from the video feed of the device.