Protecting User Privacy: Amazon's Ring Addresses Security Flaw Impacting Camera Recordings

In the month of May, an intriguing incident took place involving Ring, a company owned by Amazon. They discreetly tackled a security vulnerability that was classified as “high-severity.” 

This vulnerability posed a serious threat, as it had the potential to allow unauthorized individuals to access camera recordings from Ring video doorbells and extract sensitive personal data belonging to users.

How Was It Discovered?

• The discovery of this flaw was made by Checkmarx, an application security firm based in Atlanta. 
• During their examination of Ring’s Android app, which boasts an impressive number of over 10 million downloads, they stumbled upon multiple bugs. 
• The interesting part was that when these bugs were combined in a specific sequence, they created an opportunity for attackers to exploit the vulnerability. 

How Was It Achieved By Attackers? 

• The attackers could achieve this by creating and distributing a malicious app or issuing an update to an existing one. If an unsuspecting victim were to install the malicious app, it would grant the attackers access to authentication cookies.
• Authentication cookies are small files that allow users to remain persistently logged in without having to repeatedly enter their passwords. Armed with these stolen cookies, an attacker could gain entry to a user’s Ring account without requiring their password. 
• This alarming scenario meant that the malicious app would have the ability to pilfer various sensitive details from Ring users, such as their full name, email address, phone number, and data associated with Ring devices, including camera recordings and geolocation information.

Everything Tracked By Attackers

• Checkmarx also highlighted another unsettling aspect: successful attackers could extract additional information from Ring camera recordings. This could include details contained in documents or visible on computer screens within the camera’s field of view. 
• Furthermore, attackers could track individuals’ movements as they enter and exit rooms or buildings. The level of intrusion that could be achieved through this vulnerability was quite staggering.

Taking swift action, Ring addressed the issue and rectified the vulnerability on May 27 by releasing version 3.51.0 of the Ring Android app. During their communication with Checkmarx, Ring assured them that no customer data had been exposed, putting their minds at ease. 

To gain further insights, we reached out to Ring spokesperson Claudia Fellerman, who confirmed the company’s successful resolution of the vulnerability.

It’s important to note that Amazon acquired Ring for approximately $1 billion back in 2018. Since the acquisition, the video doorbell manufacturer has expanded its partnerships with law enforcement agencies, boasting connections with over 2,200 police departments across the United States. 

This collaboration allows the police to request video doorbell camera footage from homeowners, a concept that has sparked considerable debate and controversy. However, this recent incident serves as a reminder that security concerns should be given due attention.

It’s worth mentioning that last year, Ring shared a significant amount of user data and customer video recordings with authorities without obtaining the consent of the account owners. 

This lack of transparency and respect for user privacy has raised eyebrows and fuelled concerns among privacy advocates and users alike.

Adding to Ring’s security woes, earlier this year, a security flaw in Ring’s Neighbour’s app. This flaw exposed the precise locations and home addresses of users who had posted content on the app. 

Such incidents underscore the importance of robust security practices and the need for continuous improvement in the face of evolving threats.

Conclusion

In conclusion, the May incident involving Ring’s security vulnerability highlighted the potential risks users face when relying on technology for home security. While prompt action was taken to address the issue and mitigate any potential damage, it serves as a reminder for companies to prioritize security and privacy, and for users to remain vigilant and informed about the risks associated with their devices and applications.