Ding-Dong — Your Easily Hacked 'Smart' Doorbell Just Gave Up Your WiFi Credentials
from the not-so-smart-devices dept
Have we mentioned lately that when it comes to the so-called “internet of things,” security is an afterthought? Whether it’s your automobile, your refrigerator or your tea kettle, so-called “smart” internet of things devices are consistently and alarmingly showing that they’re anything but. If these devices aren’t busy giving intruders access to your networks and passwords, they’re often making life more difficult than so-called dumb devices. Last week, for example, the popular Nest smart thermostat simply stopped working after a software update, resulting in thousands of customers being unable to heat their homes.
Now yet another security problem has been revealed in The Ring smart video doorbell, which lets you see who’s at your front door via a smartphone app. According to a blog post by Pen Test partners, all an intruder needs to do is to remove two screws, press a big orange reset button, and they’re able to access the configuration URL for the entire system, which can be chained with other devices including door locks and home security cameras:
“If the URL /gainspan/system/config/network is requested from the web server running on the Gainspan unit, the wireless configuration is returned including the configured SSID and PSK in cleartext.
The doorbell is only secured to its back plate by two standard screws. This means that it is possible for an attacker to gain access to the homeowner?s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL.
As it is just a simple URL this can be performed quite easily from a mobile device such as a phone and could be performed without any visible form of tampering to the unit.”
In short, your smart doorbell could potentially make you immeasurably less secure, without any visible signs of tampering to the outside unit. This is, the researchers have warned in a previous post, similar to a vulnerability common in a popular smart bathroom scale, which can be easily tricked into sharing a user’s WPA-PSK. Fortunately the company behind the smart doorbell tells the research firm that they quickly issued a firmware patch for the problem, though obviously not all vulnerabilities get fixed this quickly, and it’s one more example of “smart” technology being a great advertisement for more traditional, dumb devices.
And despite notable experience with security issues, broadband ISPs that have been eager to jump into the smart home arena aren’t having much more luck. A flaw was recently exposed in Comcast’s Xfinity home security and automation service, allowing a hacker to trick the system into reporting an “all clear” state by jamming the 2.4 GHz radio used by the service. The security service would then report that everything was fine for up to three hours, and once communication was re-established with the service base station, the system never informed the user there was a problem. So smart!
And the end of the day, if you’re interested in a smarter, more secure home, you may want to consider a dog.