A series of stories have been circulating about Amazon’s Ring doorbell for a while now, an internet-connected camera and entry system that allows users to monitor and even interact at their doors with visitors and delivery people. The commercials feature unusual encounters with the IoT-equipped homeowner foiled potential crooks, but the tales show a much darker side. With allegations of unhindered exposure to private-held computers by law enforcement through mass leaks of compromised Ring account details to criminals obtaining access to children through hacked videos, it’s fair to say there’s a lot to worry about.
One cause for concern was the location details revealed by the related Amazon Neighbors crowd-sourced local crime hysteria app, and for those of us who don’t live and breathe information security, there is an easy-to-understand Twitter rundown of its flaws by[ Elliot Alderson] beginning with the app itself and continuing from there to hack Ring users by identifying their own vulnerabilities. We find that apparently anonymized information is atop an API address with full details in the software, that there is no protection against brute-forcing a Ring pin, and that there is a delicious list of APIs and staging URLs for everyone to see embedded in the app. Because of all this detail, There’s little wonder the device was so weak.
While mainstream appliance makers have failed to introduce Internet connectivity into their goods, a pair of woeful security tales have been poured into millions of homes. An argument could be made that such a gaffe can be forgiven to a corporation with origins outside the Web, but in the case of Amazon whose past has mirrored that of widespread network penetration and whose technology is behind so many of the utilities that we trust, this degree of lax security is unforgivable. Hackaday readers are aware of the security issues surrounding so-called “smart” apps, But it’s just engineering advances for the vast majority of customers that finally deliver a Jetsons-style future. If some good comes from these Ring stories, these customers can end up waking up to IoT protection and using their newly found awareness to demand better.