Ring Doorbell has patched a flaw that allowed attackers to spy on and inject their own application footage, thereby undermining users’ home security.
Researchers at Dojo, Bullguard’s Internet of Things (IoT) security team, discovered the vulnerability while performing an independent security assessment of the smart doorbell.
They began their analysis by inspecting the device’s network traffic. This step revealed that a ding at the doorbell triggers an API call to an AWS relay server. In response, the server communicates with the device and triggers a notification. A audio/video stream then makes its way to the server, which is bounced to the application.
Taking a closer look at the application’s call setup, Dojo found that Ring wasn’t using standardized SIP/TLS and SRTP protocols. Instead it was employing its own SIP/RTP crypto that added a security triplet in the “INVITE” SIP message.
The researchers then transitioned to sniffing the application and found that the RTP traffic was transmitting in plaintext. Building on this discovery, they extracted a MPEG file through which they could view the video feed. They found it was possible to also access the audio stream so long as they had access to incoming packets.
In its estimation, Dojo said it could get the appropriate level of access by exploiting another smart home device if the user was home or by tricking them into joining a rogue Wi-Fi network.
The researchers didn’t stop there, however. They also found it was possible to inject their own feed. This could set the stage for all kinds of attacks.
Or Cyngiser, a digital security researcher at Dojo, provided one such example in a blog post:
The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed. It would make for (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/iot/ring-doorbell-patches-footage-spying-injection-flaw/