Amazon’s Ring Doorbells Sent Wi-Fi Passwords in the Clear
Earlier this year, researchers at the cybersecurity firm Bitdefender discovered that Amazon’s Ring doorbells were sending Wi-Fi network passwords in cleartext over the local network. A nearby attacker could have intercepted the Wi-Fi network’s password and used it to access the homeowner’s network. The likelihood of this happening was low, and Amazon fixed the vulnerability in September 2019, but the larger concern is that poorly programmed Internet of Things devices may inadvertently be exposing our Wi-Fi traffic.
How is that? Seems very possible that this could happen and that people cruise the 'burbs looking for easy pickens just like this!
The password was transmitted in the clear only during setup, so the attacker would have to be in the right place at the right time to get it on initial setup. The subsequent attack was to force a disconnect, such that the user had to set the Ring doorbell up again, which would make the exposure window much more predictable. I doubt an attacker would cruise for such a thing—they’d set up automated gear in a nearby spot that was close enough, force the disconnect, and then wait.
Join the discussion in the TidBITS Discourse forum