back to article One Ring to pwn them all: IoT doorbell can reveal your Wi-Fi key

Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes. The Ring allows punters to answer people knocking on …

  1. Paul Crawford Silver badge

    There was a time when gaining access to one's WiFi password was but a minor annoyance if others free-loaded off your connections. Of course these days it seems they could then screw over all of the piss-poor security in IoT and SOHO equipment inside your home without having to leave their van*

    [*] Other transport options are available, assuming they are not dumb enough to live next door and have no getaway plan on discovery.

    1. Anonymous Coward
      Anonymous Coward

      "There was a time when gaining access to one's WiFi password was but a minor annoyance if others free-loaded off your connections"

      Now of course it's zero annoyance as we have much more bandwidth. I stopped securing my WiFi a decade ago and have never had an issue. It works much faster with the encryption off too.

      1. Anonymous Coward
        Anonymous Coward

        You're running the risk of miscreants using your connection for illegal stuff. You could probably prove it wasn't you in the end, maybe; but you'd probably have to live without all your computer kit for quite some time.

        1. Anonymous Coward
          Anonymous Coward

          Not only miscreants using it. If you've no password set, you've no encryption, which means every device it talking in the clear - so very easy to steal the login credentials used for this site by that particular AC.

          1. Anonymous Coward
            Anonymous Coward

            "so very easy to steal the login credentials used for this site by that particular AC."

            Anything that matters uses HTTPS.

          2. 's water music

            very easy to steal the login credentials used for this site by that particular AC.

            I'm gonna remember that for next time* I post something dumb here.

            *i.e. most times

        2. Anonymous Coward
          Anonymous Coward

          "You're running the risk of miscreants using your connection for illegal stuff."

          So what.

          "You could probably prove it wasn't you in the end, maybe!"

          An open WiFi connection is complete deniability in the absence of any other evidence.

          "you'd probably have to live without all your computer kit for quite some time"

          Unlikely unless there was more evidence than the IP address. Even then they would just copy the HDD and return it fairly quickly. Numerous other open WiFi hotspots seem to manage just fine!

          1. Anonymous Coward
            Anonymous Coward

            Unlikely unless there was more evidence than the IP address. Even then they just copy the HDD and return it fairly quickly.

            According to what I've read; that's not the way it happens. Firstly every device in the house is bagged up and taken away. Secondly you have to wait for a police tech forensics team to get round to it, and I've read about this taking months.

            All depends what you're suspected of and how switched on your local police are. The impression I get, though, is if you're expecting same-week service, you're likely to be disappointed.

            1. Anonymous Coward
              Anonymous Coward

              From personal experience

              The police took over 12 months to return my kit and say 'no further action'

          2. Kraggy

            Actually, no it isn't a defense at all, I suggest you research decided cases.

            1. Anonymous Coward
              Anonymous Coward

              And, I suspect, if the police take all your equipment away, it won't matter what it's for, it will be noticed, get around and before very long you'll be assumed to be a pedophile. And the only chance of people accepting it isn't the case is if it ends up front page news.

          3. Black Betty

            THAT my friend depends entirely on where you live.

            In many places, its an offense in it's own right to leave your wi-fi unsecured.

            You obviously don't know the police very well. Even if you're as pure as the driven snow, you're looking at 12 - 24 months for the return of your kit, with a very good chance that it will be returned damaged in some way.

            And then there's the strength of your network security. Because, if it's not locked down solidly, it might not just be your bandwith being stolen. A knee grinding into your kidneys will just be the start of your troubles if some miscreant uses your equipment to host his kiddy porn site. Even if your innocence is eventually established, your life will still be over.

      2. Kraggy

        If it's noticeable faster with encryption turned off you've got some pretty lame equipment, frankly.

        Also, failing to secure your Wi-Fi is no defense when the police call tracking down someone using your network to download child porn or somesuch.

        1. Anonymous Coward
          Anonymous Coward

          "failing to secure your Wi-Fi is no defense"

          It's no offence either. Wireless Mesh networks encourage exactly that for instance.

          And in the absence of any other evidence they wont be able to stick you with something that otherwise you might tend to be found "guilty by default" such as copyright infringement...So it's certainly a better position to be in.

          1. Anonymous Coward
            Anonymous Coward

            You are a grownup and will do what you will. You should, consider, though that people can -and have- been busted for illegal stuff done through their open WiFi without convincing evidence nailing said illegal conduct down to a particular person.

            And as TDT pointed out earlier, if people see your computer equipment being wheeled away by the police malicious gossip is going to start. This will at best make for uncomfortable living for the (probable) months it'll take the police to process. There's a real chance of verbal and physical attacks against you and your family (if applicable).

            Then there's proving your innocence. Proving you did something is relatively easy...you produce logs; paper trail; witnesses etc. that place you at a particular place at a certain time doing a certain thing. Proving you didn't do something is very much harder; especially if it's illegal behaviour (as opposed to a particular incident) like kiddieporn that could be done at any time over a period of months or years.

            All this so far has been discussing someone using your network as a passthrough for their own illegal activities. Now let's discuss malicious:

            1. It is trivial to set up a high-powered Wifi access point with the same name. Your machine will default to the best signal, so chances are you'll connect to the fake; probably without noticing. So the attacker monitors your (unencrypted) signals; and that will in fairly short order give them login to your email account and 2 hours after that probably the rest of your online personae/s.

            2. Paranoid scenario. A neigbour (or frequent drive-by) user of your network actually is into kiddieporn. What better way of allaying suspicion than to inject a couple of KP folders into your system and providing the police someone to work on? Your kit is going to be easier to get at because it's sending everything in the clear and you leaving Wifi open strongly suggests that security is not one of your priorities. This can and does happen and has been mentioned in several spook agency notes as a fast and reliable way of discrediting people.

            An open wifi network does not give you a get out of jail free card in relation to copyright infringement either.

            Chances are nothing will happen (although the odds are shortening as time goes by). But if things do go wrong; the potential for them to go very badly life-fuckingly wrong is just not worth the risk when the solution is so simple.

      3. gnasher729 Silver badge

        If your network uses WEP 2, which it most likely does, then the encryption of any WiFi connection can be cracked by anyone connected to the network. So a crook with your WiFi password can connect to your network, and then crack your own connection, and listen to everything your computer or your phone does.

        Most important are unencrypted emails, insecure websites still using http, and possibly WiFi connected printers.

    2. Anonymous Coward
      Anonymous Coward

      Of course these days it seems they could then screw over all of the piss-poor security in IoT and SOHO equipment inside your home without having to leave their van

      Indeed, in addition to unlocking your front door, they can make the milk in your fridge too cold, and make your coffee too weak :http://www.cnet.com/news/internet-connected-coffee-maker-has-security-holes/

      1. Anonymous Coward
        Anonymous Coward

        They could ruin your uranium gas centrifuges.

    3. Anonymous Coward
      Anonymous Coward

      Couldn't it be connected to the doorbell and the wifi devise mounted inside the house?

  2. The Real Tony Smith

    WTF?

    So you have to wait for someone to ring the doorbell before you get a software update?????

    1. Andrew Penfold
      Joke

      Re: WTF?

      Yes, that's the updated exploit - slightly more difficult this time:

      Set up a wireless network with the same SSID as the one emanating from the property, but with no encryption and a much stronger signal. The doorbell MAY then hop onto that network (if it's dumb enough).

      Then, you press the doorbell to make it do a firmware update - it then connects to your fake update server and downloads your "updated" firmware complete with code of your own design (if it doesn't verify the identity of the update server or use code signing on the update).

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF?

        Otherwise known as the evil twin attack....

    2. thesykes

      Re: WTF?

      To be fair, if you were fitting one of these, wouldn't you press the doorbell yourself immediately, to test that it actually works?

    3. YassiRing

      Re: WTF?

      Hi Tony,

      I just wanted to clarify that you do not have to wait for someone to ring the doorbell in order for you to get a software update. Your device automatically looks for an update every 24 hours, so your device most likely receives and uploads the update without you even realizing it!

      If you have any further questions, please feel free to reach out directly at y@ring.com.

      Best,

      Yassi, Brand Manager at Ring

      1. Intractable Potsherd

        Re: WTF?

        "... reach out directly ..." - in English, that means "email".

        Use of that phrase has moved the company even further down my list of doorbell suppliers.

  3. Anonymous Coward
    Anonymous Coward

    'KNOCKERS!!'

    I find that you can't go wrong with a heavy pair of knockers.

    1. tiggity Silver badge

      Re: 'KNOCKERS!!'

      It can be a bit bad for the back if they are too heavy!

  4. Unep Eurobats
    Coat

    Doorbells? Who needs doorbells?

    Delivery people send you a text and then knock.

    Otherwise it's Jehovah's Witnesses, politicians or lost pizza-delivery people. We don' need no steenkin' doorbells.

    (If you do actually need a doorbell please tell me. I know some of my fellow commentards love a rhetorical question.)

    1. BongoJoe

      Re: Doorbells? Who needs doorbells?

      For the last fifteen years or more I've never needed a doorbell or a knocker.

      Either the door is open or someone stood outside of the cottage and shouted.

      But now that I live in a motorhome touring around the idea of having a doorbell seems ludicrous. Though one of those ships bells hanging outside does appeal even though it may be a little noisy going up the M5.

      1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Doorbells? Who needs doorbells?

      I have never, ever, ever had a delivery person text me.

      They ring the bell, wait for 10 seconds then jump back in the van as quickly as they possibly can to avoid having to actually, you know, deliver the item.

      Yes I need a doorbell, but I don't think I want to pay $100 for one that is insecure. I'd just like people who ring it understand that I am not necessarily sitting in a chair right next to the door waiting to jump up and answer it.

    3. jgarry

      Re: Doorbells? Who needs doorbells?

      Put on shorts.

      Take stinky food garbage outside.

      Family member walks by, sees door unlocked, locks door, walks out of earshot.

      Freeze while pounding on door because you don't have a doorbell any more.

    4. Doctor Syntax Silver badge

      Re: Doorbells? Who needs doorbells?

      "Delivery people send you a text and then knock."

      Hereabouts they ring the bell & ask for such & such house. It's a consequence of most houses not having numbers & looking for the nameplate being too hard.

      1. paulf
        Coat

        Re: Doorbells? Who needs doorbells?

        That'll make for a new entry on courier "While you were out" cards.

        Dear Householder,

        We were unable to deliver your item today because:

        1. It was too large for your letterbox

        2. It requires a signature

        3. Your doorbell didn't ring because it was downloading and installing a firmware update.

        As a result I've:

        a) thrown it over your back gate

        b) left it by the front door for some scumbag to pinch

        c) thrown it on the roof

        Yours etc

        Yodel

        1. Intractable Potsherd

          Re: Doorbells? Who needs doorbells?

          All these terrible stories about delivery drivers/postmen make me think I have been very lucky. Maybe it is the regions of Britain I've lived in (South Yorkshire, Warwickshire, East Central Scotland), but the only time I've had any problems was with a delivery that appeared not to arrive (motherboard, RAM and CPU, I think). Contacted the supplier, replacements sent out and received - original package found two weeks later very securely hidden in a corner of the greenhouse! No card had been left, for some reason. Beyond that, I have never had a problem. My current regular delivery driver is always great (even though we live up a fairly narrow lane that has only one way in and out), and has never failed to leave a package regardless of weather, occasionally using his own initative!

          1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Hmm, there I was thinking .... how many users would actually ever update the firmware in something like that.

    But then we find it automatically updates itself, with (in real terms) no notification to the owner. What could possibly go wrong there ?

    In reality this simply demonstrates a fundamental design issue. The idea of putting a "secure bit" out in the open for easy attack is "not very clever" - just "convenient" and yet again we see "convenience trumps secure". Only the display, button, etc should be outside - the "clever" bits should be in a secure location (ie inside), but that would make it more expensive and harder to install.

    Years ago I recall being sent to do some work at the home of a boss's friend. Yeah, being sent to Monaco sounds great, but apart from arriving and departing didn't set foot outside of the apartment.

    He showed me the fingerprint scanner on the front door - and explained how he'd had to work with the manufacturer to move the "works" inside the property. What's the point of a "secure" lock if all the user has to do is pull the front panel off and stick a bit of wire across two terminals to simulate the device operating it's relay to unlock the door !

    1. John Brown (no body) Silver badge

      "What's the point of a "secure" lock if all the user has to do is pull the front panel off and stick a bit of wire across two terminals to simulate the device operating it's relay to unlock the door !"

      Don't forget the fireworks charge so when someone rips off the keypad, shoots it or stabs a knife into it that not only does the door open but there's a pleasing amount of sparks and smoke as the indicator turns green to let you know it's open.

    2. Chloe Cresswell Silver badge

      One of my suppliers makes a door entry phone that uses ipv6, "no setup needed", but even the "antivandal" model screwed on from the outside. And inside it is the network connection that has to come through from inside to it.

      I said it's a bit of a flaw, was told no one would expose their main network this time. I thought of my clients and have seen it done before I fixed it, and my responce was "yes, people are that dumb"

  6. sysconfig

    "smart door locks"

    Not going to happen. Ever. (In my house, that is.)

    If somebody wants to enter my house, there's three options:

    - a family member lets them in

    - they have a physical key

    - they have to forcefully break in

    I will not add an attack surface which can be exploited from virtually anywhere and allow burglars to enter the house as if the door was left open, without any physical trace of forced entry. It'll be a hell of a job to explain that to the plod and the insurance!

    1. Eddy Ito
      Black Helicopters

      Re: "smart door locks"

      Are you sure? I mean if you're lucky the burglars will steal the 'evidence' the plod were planning on 'finding' later that evening.

  7. Anonymous Coward
    Anonymous Coward

    Not worth the effort.....

    Or you could just use any of the NDE (non-destructive entry) techniques which you can use to enter a front door the normal way: bump keys, bypassing the lock entirely, picking the lock manually, using pick rakes or a pick gun OR instead of using that screwdriver to PHYSICALLY UNMOUNT the doorbell (and put it into setup mode then connect to the wireless unit to get the PSK and order the door to unlock) you could already have gone around to the side of the house with said screwdriver - jimmy a window and already have looted half the house.

    The only problem I see with this, is that it adds yet another way to enter your house....

    Pentest partners put on a good show at Infosec hacking dolls with vulnerabilities from 1999 but please, lets not get excited....

  8. tony2heads
    WTF?

    Why??

    Why would anybody want a doorbell on a network; you are not going to open the door if you aren't physically present, are you?

    I certainly wouldn't.

    1. This post has been deleted by its author

    2. The_Idiot

      Re: Why??

      Imagine, at least I hope for your sake imagine, your partner has advanced Multiple Sclerosis. Yes,other candidates may be relevant, but for the sake of argument, let's say MS.

      Let's say your partner is wheelchair bound and lacks the ability or dexterity to unlock the door.

      Let's say, purely hypothetically, that you looked at a powered door opener with a remote keyfob your partner could use, but it was, for the sake of discussion, $3,000 plus, and it turned out your partner lacked the dexterity to use the keyfob reliably.

      But - said partner can and does, purely hypothetically, use a keyboard and mouse every day.

      May I suggest that, purely hypothetically and for the sake of discussion, there just might possibly be a use-case some people haven't thought of - but others may have, unfortunately, had to seriously consider.

      1. Intractable Potsherd

        Re: Why?? re: different use cases

        Mr/Mrs Idiot: yes, I have had to think about these things due to my own advancing lack of dexterity, and I have completely dismissed them. Some form of hard-wired access from inside the house - possibly. IoT enabled access from anywhere - not a chance.

      2. Anonymous Coward
        Anonymous Coward

        Re: Why??

        May I suggest that, purely hypothetically and for the sake of discussion, there just might possibly be a use-case some people haven't thought of - but others may have, unfortunately, had to seriously consider.

        That is one use case, but having something that lets world+dog in through such glaring security oversights is a danger to someone in that condition too as they'd be unable to defend themselves against an intruder.

        I'd imagine someone in that situation though would be rarely alone, and so having a physically able-bodied person (as much as that might be undignified and irritating) open the door might be the superior option.

  9. This post has been deleted by its author

  10. adnim
    Meh

    I likes to work in the garden,

    in the summer of course.

    My wireless (not WiFi) door bell is both a blessing and a curse. I thought about wired(Cat5) CCTV so I can ignore salesmen and those who think I may need a god. I don't really care who calls when I am not there, delivery persons leave a note or the goods with the neighbour. Friends usually pre-arrange or phone/text if I am not about.

    I am pretty sure most of this IoT stuff is about bragging rights or a solution awaiting a problem. Then again I am old now and pretty much a Luddite compared to the under 30's.

    1. GrumpyOldMan

      Re: I likes to work in the garden,

      I was thinking the same thing. IoT is a Solution waiting for a problem. WiFi Fridge? Really? I'm convinced that 99% of the growth of tech is to get there before somebody else does so you can register the patent and get lots and lots of luverly money. Yes there are advances in medicine etc etc but we don't need online games, Fartbook or Twatter to continue our existence. Or maybe I'm just a grumpy old fart out of touch. And a veteran IT contractor who's seen it before.

      How on earth did the human race manage to get this far without IoT, the internet and the mobile phone life support system? It must be life support - you should see my kids reaction when I ask then to remove their headphones and look at me when I'm talking and not their phone! Even my wife is affected! Personally, I have a life bigger than a 3" screen. They can text someone across the planet but can't talk to the person sat next to them.

  11. Stevie

    Bah!

    An internet connected doorbell? So people can play rat-a-tat ginger from miles away?

    How thoroughly essential, functionality-wise. Definitely worth the security hole.

  12. This post has been deleted by its author

  13. Anonymous Coward
    Anonymous Coward

    WTF!!

    Whats next, Bluetooth in shoelaces?

    1. Anonymous Coward
      Anonymous Coward

      Re: WTF!!

      Nah - GPS shoelaces so that you can be tracked everywhere "to measure your health and exercise levels like a pedometer". And pass the data to a data miner who can then flog your info to insurance companies. And other stuff.

      (ooh - did I type that out loud?)

  14. Christian Berger

    Uhm, you can probably still read the flash chip

    I mean the doorbell has to have the secret to gain access to the network, and if you have physical access to it you will always be able to get that.

    Obviously the least you should do is to have several dedicated wireless networks with filtering in between.

    1. Christian Berger

      Re: Uhm, you can probably still read the flash chip

      Actually even if you could safely contain the secret to access the network in a separate WIFI chip... you could _still_ just send different command to that chip and it would allow you access to the network.

    2. Anonymous Coward
      Anonymous Coward

      Re: Uhm, you can probably still read the flash chip

      Indeed, physical security is probably this device's biggest failing. Since power has to be provided, one could argue that making the device effectively PoE would be a better plan.

      That is, you'd have the WiFi bit inside the wall wart that plugs into the power socket and the cable that comes out would be an Ethernet cable with some power supplied on unused pins.

      A cheaper version that did away with WiFi and just had a plain power supply and Ethernet port would serve those who don't want WiFi.

  15. Mage Silver badge
    Facepalm

    WiFi?

    Why not tenth of cost lower power 433 MHz SRD with ASK/OOK and a unique address transmitted, so next door's button doesn't work your bell?

    Then have an option module for bell unit (actually will work with any bell really) to add WiFi for phone addicts that must have door bell button on a mobile app.

  16. Commswonk
    Facepalm

    Einstein was right, wasn't he.

    "The only two things that are infinite are the universe and human stupidity. But I'm not sure about the universe."

    As if a WiFi / IoT doorbell wasn't daft enough, the inclusion of the words The doorbell bundles a similar module to the Fitbit Aria bathroom scales says it all.

    Every time I think the silliness cannot get any worse I read something that shows just how wrong I am... :(

  17. eldakka
    WTF?

    wait, what?

    "Every time Ring is activated, whether with motion or a doorbell ring, it automatically searches for available firmware updates."

    Umm, what? It phones home every time it's activated? So the company can have a complete log of all physical access to your premesis? What else does it send back to big brother? A photo of each activation showing WHO has visited? Talk about creepy.

    Was starting to sound interesting (with additional physical security DIY modifications to fix it's physical vulnerabilities), but now it's off my shopping lost.

  18. vincent himpe

    hardwired ... sod wifi

    Hardwire all that stuff using POE. Wifi doorbells and camera's are useless. Simply scramble the RF

    frequencies in use and it's game over...

    As for wifi: separate partition , WPA2 secured , mac address restricted on router ( yeah i know that can be spoofed too) and number of simultaneous connections limited ( i only have 2 wifi devices. so if a third one tries : bingo. if one of mine no longer works : bingo. )

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like