Ring has pushed out a fix to a security issue in the configuration code for its Internet-connected home security products. Researchers from Bitdefender notified Ring in June of a flaw in Ring Video Doorbell Pro cameras' software that made it possible for wireless eavesdroppers to grab the Wi-Fi credentials of customers during the device's setup—because those credentials were sent over an unsecured Wi-Fi connection to the device using unencrypted HTTP.
In a report on the bug issued yesterday as part of a coordinated disclosure with Ring, Bitdefender researchers explained that when customers configured a Ring Video Doorbell Pro out of the box:
…the smartphone app [for Ring] must send the wireless network credentials. When entering configuration mode, the device creates an access point without a password (the SSID contains the last three bytes from the MAC address). Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network. All these exchanges are performed through plain HTTP. This means the credentials are exposed to any nearby eavesdroppers.
An attacker could take advantage of this bug by forcing a victim to reconfigure the doorbell. The attacker could use a Wi-Fi deauthorization ("deauth") attack against the device to make it re-enter configuration mode and could use a malicious Wi-Fi device to make the Ring doorbell drop off its network.