New research has found that Amazon Ring smart doorbells may have a number of signficant security flaws.
Findings from Bitdefender discovered that the products were leaking the password for the Wi-Fi networks of their users, making the details available for any third parties.
The issue appears to affect the Ring Video Doorbell Pro device, which costs around £220/$225, with thousands of users potentially at risk of having their home networks compromised.
- Best home security systems of 2019: the best in smart home security
- Rogue Trend Micro employee exposes customer data
- The best cheap smart home devices and gadget deals for Black Friday 2019
Bitdefender's research found that when a Ring doorbell registered with a user's Wi-Fi network, it was sending the password needed to join in cleartext. This could have allowed hackers to intercept the password, and then use it to infiltrate the network for malicious purposes.
This data was also being sent over an unencrypted connection, putting the user network at further risk.
“When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point,” Bitdefender said in a blog post detailing the findings. “Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”
Bitdefender found that hackers could also potentially trigger the reconfiguration of the Ring Video Doorbell Pro by overloading it with a stream of deauthentication messages, making the device get dropped from its wireless network. When this happens, the mobile app loses connectivity and asks the user to reconfigure the device, giving hackers another way in.
Bitdefender says that all Ring Doorbell Pro cameras have received a security update that fixes the issues its team found, and that users should download and install this as soon as possible.
"Customer trust is important to us and we take the security of our devices seriously," a Ring spokesperson told TechRadar Pro. "We rolled out an automatic security update addressing the issue, and it's since been patched."