Ding-Dong — Your Easily Hacked 'Smart' Doorbell Just Gave Up Your WiFi Credentials
from the not-so-smart-devices dept
Have we mentioned lately that when it comes to the so-called “internet of things,” security is an afterthought? Whether it’s your automobile, your refrigerator or your tea kettle, so-called “smart” internet of things devices are consistently and alarmingly showing that they’re anything but. If these devices aren’t busy giving intruders access to your networks and passwords, they’re often making life more difficult than so-called dumb devices. Last week, for example, the popular Nest smart thermostat simply stopped working after a software update, resulting in thousands of customers being unable to heat their homes.
Now yet another security problem has been revealed in The Ring smart video doorbell, which lets you see who’s at your front door via a smartphone app. According to a blog post by Pen Test partners, all an intruder needs to do is to remove two screws, press a big orange reset button, and they’re able to access the configuration URL for the entire system, which can be chained with other devices including door locks and home security cameras:
“If the URL /gainspan/system/config/network is requested from the web server running on the Gainspan unit, the wireless configuration is returned including the configured SSID and PSK in cleartext.
The doorbell is only secured to its back plate by two standard screws. This means that it is possible for an attacker to gain access to the homeowner?s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL.
As it is just a simple URL this can be performed quite easily from a mobile device such as a phone and could be performed without any visible form of tampering to the unit.”
In short, your smart doorbell could potentially make you immeasurably less secure, without any visible signs of tampering to the outside unit. This is, the researchers have warned in a previous post, similar to a vulnerability common in a popular smart bathroom scale, which can be easily tricked into sharing a user’s WPA-PSK. Fortunately the company behind the smart doorbell tells the research firm that they quickly issued a firmware patch for the problem, though obviously not all vulnerabilities get fixed this quickly, and it’s one more example of “smart” technology being a great advertisement for more traditional, dumb devices.
And despite notable experience with security issues, broadband ISPs that have been eager to jump into the smart home arena aren’t having much more luck. A flaw was recently exposed in Comcast’s Xfinity home security and automation service, allowing a hacker to trick the system into reporting an “all clear” state by jamming the 2.4 GHz radio used by the service. The security service would then report that everything was fine for up to three hours, and once communication was re-established with the service base station, the system never informed the user there was a problem. So smart!
And the end of the day, if you’re interested in a smarter, more secure home, you may want to consider a dog.
Filed Under: doorbell, iot, privacy, security, smart doorbell
Comments on “Ding-Dong — Your Easily Hacked 'Smart' Doorbell Just Gave Up Your WiFi Credentials”
I have two dogs, and zero “connected appliances.” That makes my house a smart house, right?
Re: Re:
You’re smart. The dogs are smart. The house is under investigation because the government (and their freelance counterparts) can’t just walk in in any time they want to without you noticing.
Design flaw
Notwithstanding the software/firmware issue: any security hardware worth it’s name will have it’s reset button/protocol on the inside of the premise being protected.
Look at any doorknob/deadbolt lockset and you’ll see they’re dismountable on the inside only.
This doorbell/camera should have two parts: the main unit on the outside and the controller on the inside. Single units on the outside is just asking for trouble.
Odds are Google (via Android) and your ISP (via their router) already have your WiFi credentials. At least this threat model consists of someone physically breaking into your stuff. If you’re really concerned about the IoT put it on a separate guest network.
Re: Re:
Microsoft too. They share it with all your Facebook friends on Windows 10.
Ding Dong
That is either an inappropriate nickname for those that succumb to the ‘smart house’ marketing or a renaming of the song from The Wizard of Oz proclaiming a dead witch, which might just be metaphorical for household security.
Oh yeah, it is also a trade marked snack cake item. Tasty!
Multiple Router SSIDs
Obviously, real security requires MULTIPLE PSKs, one for each insecure security device! Security devices should treat PSKs the same way passwords are treated: You can input them, but not get them back out!
Or, at a minimum, a remote sensor and an inside transmit unit!
And They Said It Was Impossible
See? It only took a short time for Silicon Valley to solve the encryption wars: instead of a backdoor key, a back doorbell.
“This means that it is possible for an attacker to gain access to the homeowner’s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL.”
Since the Ring is a motion sensing camera you will also have a video of someone unscrewing your doorbell from the wall:) and since it can be configured to alert you when the camera is “on” you could even start talking to the person tampering with your door bell. something like ” I would work a little quicker if I were you the Police are on the way” should be enough to do the trick 😉
Re: Re:
Of course the nefarious fool will be wearing a mask.
Bad lock no signal
So physical locks are easily bypassed with bump keys. Padlocks are easy to crack. Smart locks are bypassed with software….I think we may just suck at locks people.
You know who didn’t suck at locks? No..really I can’t think of anyone. Locks are hard. Heck the Chinese Emperor of the terra cotta army had to bury himself under a darned hill with traps and that still won’t work.
Re: Bad lock no signal
The engineers who designed the Panama Canal locks did a pretty good job back in the day. And Lascco makes wonderful lox. Although, other than (maybe) Slartibartfast, I can’t think of anyone who made lochs or loughs.
Re: Bad lock no signal
Actually, good locks that are hard (not impossible) to pick are quite common and relatively well known (http://www.blackhat.com/presentations/bh-europe-08/Deviant_Ollam/Whitepaper/bh-eu-08-deviant_ollam-WP.pdf).
Problem is, if your front door lock is hard to pick, and you get locked out of home… how do you get back in? In a locksmith can’t pick the lock for you, then it’s time to drill the lock out and replace it. Of course, if you want to protect against other parties drilling the lock out just as easily, then you are victim to the same difficulties if you ever need to break in.
Physical locks don’t have to be easy to pick. But most people want them that way, at least in their homes.
Perhaps you are missing the point here?
These devices are non-secure by design. They have been intentionally make to be hacked and you are supposed to run out and get you some of that.
The Internet of things including thermostats
Didn’t I read somewhere that Google’s connected thermostat update drained the battery and prevented access. The result was that there was the possibility of a cold house and maybe frozen water pipes. Bad for folks who went to a warm place to get away from those Northern Minnesota temperatures and couldn’t use their cell phones to warm up their houses.
I’m too dumb to properly configure smart appliances, so I use old-fashioned dumb appliances. Which means I’m safe and smart… I think the IOT is actually starting to give us idiots an advantage. Bow before us, brain-head thinky people!
> Bow before us, brain-head thinky people!
Of the few people I know who have been fooled into putting even just a “smart” thermostat in their homes, not one is what I would consider “smart”.
Re: Re:
Which is why they have to compensate for that with loads of smart thingies.
From what I just heard, this security issue was already FIXED!!! All RING Doorbells would automatically download and install this update as they all check for updates once a day.
Here is where it was originally Reported.
https://www.pentestpartners.com/blog/steal-your-wi-fi-key-from-your-doorbell-iot-wtf/
Way down on the bottom of the page is says FIXED!!! This topic is now fear mongering or a issue that’s already been taken care of. Anyone with a RING Doorbell is already cured!!!
Re: Re:
The issue of this particular vulnerability has been taken care of. I think the point’s more that this sort of vulnerability shows up at all: you note all the security screw-ups across the board of smart-things and see if their frequency increases or decreases. It’s nice to know if these fuck-ups are outliers or are part of an industry-wide, systemic carelessness.
Re: Re: Re:
Where is your willing suspension of disbelief?
You are supposed to not think about what could possibly go wrong and simply buy their crapware and submit to their spying. What the hell is wrong with you?
Re: Re:
Yes this was already fixed. In fact this company did it almost on the same day that it was reported. Which was last Friday. So you guys are a little behind here.
Re: Re:
“Doorbells would automatically download and install this update as they all check for updates once a day.”
This is a doorbell, ffs.
Who the hell needs a doorbell anyway, make ’em knock on the door. Hey, is there an internet connected door knocker?
Re: Re:
Meanwhile, towards the bottom of this article…
Fortunately the company behind the smart doorbell tells the research firm that they quickly issued a firmware patch for the problem, though obviously not all vulnerabilities get fixed this quickly, and it’s one more example of “smart” technology being a great advertisement for more traditional, dumb devices.
That it was a problem that was quickly fixed wasn’t the point of the article, the point was showing yet another example of how ‘smart’ devices can be really stupid and open up security vulnerabilities and/or cause other problems.
Re: Re: Re:
And honestly, what would prevent a really focused attacker from faking a wireless connection and forcing a fake firmware update? I don’t know how to fix this vulnerability because wires can be hacked as well but at least you can secure the wires behind a physical barrier.
Re: JBDragon
There is a difference between ‘a fix was issued’ and ‘a fix was applied by every home owner’ pal, not to mention the gap between ‘a fix was issued’ and ‘a fix works properly, isn’t buggy, doesn’t break some other core security component, and there aren’t any other massive security flaws in this no-privacy-by-design product.’
So no, not fear mongering, but instead educational content warning people of the actual/real/physical dangers these devices pose for the people that are on the inside of a house that is ‘protected’ by this device.
HELP!
I completely removed my front door in the name of convenience, but now thieves can just walk into my home. Does anyone know of a way I can secure my front doorway?
If you’re going to call out the particular vendor, in this case Ring, then you should also be balanced and say that they have ALREADY PATCHED the issue, before it was disclosed to the public. They have already pushed out an automatic update to all existing customers to patch the issue.
This episode should be a warning to all IOT companies and potential customers, but also an example of an IOT company handling a discovered problem as well as possible.
Re: Re:
Yes, however – the issue is somewhat larger than one specific instance, it points toward a more pervasive lackadaisical attitude toward ones customers. This give a shit attitude can be seen across all industry, but let’s just let them slide – not.
Re: Re:
I think you (totally) miss the point here…
No amount of ‘firmware upgrade’ is going to change the fact that 2 screws and a big red^H^H^H orange button are all that keep the bad guys from connecting to the device’s management interface.
What IDIOT thought it was a good idea to put the private access zone on the insecure side of the device? (probably the same one who doesn’t know how to use a drill to bore a hole through the door!)
There’s an old adage… “never trust a programmer with a screwdriver.”
The problem here is
This product boasts amongst other things a very poor design with fundamental flaws. As a software engineer in the I am horrified. This product was clearly built down to a price rather than up to a standard.
Re: The problem here is
You could say the same about most Wi-fi routers, smartphones, or pretty much any commodity electronic device.
So how’s those back doors (or in this case front doors) working out?
Y’know, I already have a device that lets me see who’s at the door. It’s called a “window”, and in over 50 years it hasn’t needed batteries or an upgrade.
pounding square pegs in a circle
Wtf are doorbells using wifi to begin with? That sounds just as sensible as using wifi in a car key’s alarm dongle. Wouldn’t a better alternative be to use an RF module?
Dogs have been the best security system since the dawn of man, and they’re in no danger of becoming obsolete.
Also, in Russia, doorbell rings you.
Re: Re:
Dogs have been the best security system since the dawn of man, and they’re in no danger of becoming obsolete.
Unfortunately, dogs have a fatal design flaw in that they are alive and like to eat. A zombie dog would be a safer bet, since they wouldn’t be interested in the steak laced with strychnine. An added benefit is their love of human brains.
In all seriousness though, dogs are far more expensive than a cheap doorbell, which is why they tend to not have as much of an acceptance rate, plus attackers can easily trap the dog in a closet with a steak and go about their nefarious activities.
Re: Re: Dogs
There use to be a show called “IT takes a Thief” (not the one with Robert Wagner.) In it an ex-thief and security guy would break into people’s home (with their permission) to check their security setup. Many of these people had dogs. Typically the ex-thief stole the dog. No strychnine necessary. Feed the dog and they would follow him home.
Dogs are good to warn you of an intruder. They might even scare off a non-violent intruder. In a home invasion, or if you are not there what you’re most likely to end up with is a dead dog.
My thoughts as a Ring Owner
I have a Ring doorbell. If somebody tried to remove it I would get a notification and the video of the person doing it would be uploaded to the cloud. Also, they are not standard screws on the door bell. They are a proprietary security hex. While it would not stop someone determined to take the doorbell because the mounting bracket is plastic and could be ripped of the wall it would also slow them down.
So if somebody got my WiFi credentials by this method I would change the password. While it is unfortunate that they did not properly secure the device in the first place in the case the company did the right thing and immediately acknowledged and correct the issue. Which I suspect not all internet of things manufactures will do.
Re: My thoughts as a Ring Owner
To be fair there are far easier & stealthier ways to steal your wifi access. Like you say, if you get your ring stolen ( and you would know soon enough) you know to changed your password.. Losing your ring is more of a nuisance than losing your password.. :-/
Biggest Intruder
Don’t forget that the party best placed to intrude in your digital devices is the manufacturer. That is, if the software is proprietary rather than free/libre. A proprietary program is completely under the control of its developer. Famous developers such as Microsoft, Apple, Amazon and Google make malware a standard practice (see http://gnu.org/proprietary/ for examples and references). The rest very likely do the same — but who knows?
Let’s demand free/libre software in “smart” devices, as in computers.
See http://gnu.org/philosophy/free-software-even-more-important.html.
Yes, I also like this Ding-Dong smart doorbell because of some new device. Its included some great features that make our life is so easy. It’s always saved our home. It’s not added LED flashing light. Otherwise, it will a great home doorbell.
Amazing Info
You got into my nerves. I am just now more aware and will let my users know about this concern
Skybell Vs Ring
Beautiful Insights. Would definitely love to give a pingback to this article.
So it's fixed?
“Fortunately the company behind the smart doorbell tells the research firm that they quickly issued a firmware patch for the problem”
So everything leading up to this sentence is moot? There was a problem, they fixed it, right?
And besides, the motion-sensing doorbell would notify you when someone was trying to remove it, so you’d be tipped off.
The MAFIAA had it coming.
Smart people don’t connect all their stuff to the Internet.
Probably just getting a dog is still a better idea than having smart devices.
‘Wi-Fi deauthentication attack‘
Errmmm…
1) Why not just flood the target accesspoint with deauthentication packets. This will cause the target accesspoint to disconnect the wireless doorbell from the network??? No wifi no notification??