Major Security Vulnerability Found in Yet Another Consumer IoT Device

In a recent case study, cybersecurity research company Bitdefender revealed a serious security flaw in the popular Amazon Ring doorbell. When users configure the doorbell for a WiFi network, it creates an access point to that network that doesn’t require a password. Hackers can trick the device into malfunctioning, prompting the owner to reconfigure it and granting the hacker access to the network to launch a larger attack.

Bitdefender said it made Amazon aware of the issue and a spokesperson for Ring said the security hole has been closed and urged owners to make sure their devices have updated firmware.

See also: IoT Security Remains a Top Concern

Configuring for Safety

“When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecured manner, through an unprotected access point,” says Bitdefender. “Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”

“Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it’s since been patched,” the spokesperson says.

Earlier this year, Amazon released a firmware update to fix a security flaw that could have allowed hackers to access the doorbell’s audio and video.

The Amazon Ring doorbell has received other criticisms for privacy issues before, namely for its partnerships with police departments.