Ding-Dong -- Your Easily Hacked 'Smart' Doorbell Just Gave Up Your WiFi Credentials

from the not-so-smart-devices dept

Have we mentioned lately that when it comes to the so-called "internet of things," security is an afterthought? Whether it's your automobile, your refrigerator or your tea kettle, so-called "smart" internet of things devices are consistently and alarmingly showing that they're anything but. If these devices aren't busy giving intruders access to your networks and passwords, they're often making life more difficult than so-called dumb devices. Last week, for example, the popular Nest smart thermostat simply stopped working after a software update, resulting in thousands of customers being unable to heat their homes.

Now yet another security problem has been revealed in The Ring smart video doorbell, which lets you see who's at your front door via a smartphone app. According to a blog post by Pen Test partners, all an intruder needs to do is to remove two screws, press a big orange reset button, and they're able to access the configuration URL for the entire system, which can be chained with other devices including door locks and home security cameras:
"If the URL /gainspan/system/config/network is requested from the web server running on the Gainspan unit, the wireless configuration is returned including the configured SSID and PSK in cleartext. The doorbell is only secured to its back plate by two standard screws. This means that it is possible for an attacker to gain access to the homeowner’s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL. As it is just a simple URL this can be performed quite easily from a mobile device such as a phone and could be performed without any visible form of tampering to the unit."
In short, your smart doorbell could potentially make you immeasurably less secure, without any visible signs of tampering to the outside unit. This is, the researchers have warned in a previous post, similar to a vulnerability common in a popular smart bathroom scale, which can be easily tricked into sharing a user's WPA-PSK. Fortunately the company behind the smart doorbell tells the research firm that they quickly issued a firmware patch for the problem, though obviously not all vulnerabilities get fixed this quickly, and it's one more example of "smart" technology being a great advertisement for more traditional, dumb devices.

And despite notable experience with security issues, broadband ISPs that have been eager to jump into the smart home arena aren't having much more luck. A flaw was recently exposed in Comcast's Xfinity home security and automation service, allowing a hacker to trick the system into reporting an "all clear" state by jamming the 2.4 GHz radio used by the service. The security service would then report that everything was fine for up to three hours, and once communication was re-established with the service base station, the system never informed the user there was a problem. So smart!

And the end of the day, if you're interested in a smarter, more secure home, you may want to consider a dog.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doorbell, iot, privacy, security, smart doorbell


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Chris ODonnell (profile), 21 Jan 2016 @ 11:51am

    I have two dogs, and zero "connected appliances." That makes my house a smart house, right?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 21 Jan 2016 @ 11:52am

    Design flaw

    Notwithstanding the software/firmware issue: any security hardware worth it's name will have it's reset button/protocol on the inside of the premise being protected.

    Look at any doorknob/deadbolt lockset and you'll see they're dismountable on the inside only.

    This doorbell/camera should have two parts: the main unit on the outside and the controller on the inside. Single units on the outside is just asking for trouble.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 21 Jan 2016 @ 12:02pm

    Odds are Google (via Android) and your ISP (via their router) already have your WiFi credentials. At least this threat model consists of someone physically breaking into your stuff. If you're really concerned about the IoT put it on a separate guest network.

    link to this | view in thread ]

  4. identicon
    Anonymous Anonymous Coward, 21 Jan 2016 @ 12:02pm

    Ding Dong

    That is either an inappropriate nickname for those that succumb to the 'smart house' marketing or a renaming of the song from The Wizard of Oz proclaiming a dead witch, which might just be metaphorical for household security.

    Oh yeah, it is also a trade marked snack cake item. Tasty!

    link to this | view in thread ]

  5. identicon
    Christenson, 21 Jan 2016 @ 12:03pm

    Multiple Router SSIDs

    Obviously, real security requires MULTIPLE PSKs, one for each insecure security device! Security devices should treat PSKs the same way passwords are treated: You can input them, but not get them back out!

    Or, at a minimum, a remote sensor and an inside transmit unit!

    link to this | view in thread ]

  6. icon
    TechDescartes (profile), 21 Jan 2016 @ 12:18pm

    And They Said It Was Impossible

    See? It only took a short time for Silicon Valley to solve the encryption wars: instead of a backdoor key, a back doorbell.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 21 Jan 2016 @ 12:23pm

    "This means that it is possible for an attacker to gain access to the homeowner’s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL."

    Since the Ring is a motion sensing camera you will also have a video of someone unscrewing your doorbell from the wall:) and since it can be configured to alert you when the camera is "on" you could even start talking to the person tampering with your door bell. something like " I would work a little quicker if I were you the Police are on the way" should be enough to do the trick ;)

    link to this | view in thread ]

  8. icon
    PRMan (profile), 21 Jan 2016 @ 12:25pm

    Re:

    Microsoft too. They share it with all your Facebook friends on Windows 10.

    link to this | view in thread ]

  9. identicon
    techno, 21 Jan 2016 @ 12:27pm

    Bad lock no signal

    So physical locks are easily bypassed with bump keys. Padlocks are easy to crack. Smart locks are bypassed with software....I think we may just suck at locks people.

    You know who didn't suck at locks? No..really I can't think of anyone. Locks are hard. Heck the Chinese Emperor of the terra cotta army had to bury himself under a darned hill with traps and that still won't work.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 21 Jan 2016 @ 12:29pm

    Perhaps you are missing the point here?
    These devices are non-secure by design. They have been intentionally make to be hacked and you are supposed to run out and get you some of that.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 21 Jan 2016 @ 12:43pm

    Re:

    I have two dogs, and zero "connected appliances." That makes my house a smart house, right?
    You're smart. The dogs are smart. The house is under investigation because the government (and their freelance counterparts) can't just walk in in any time they want to without you noticing.

    link to this | view in thread ]

  12. icon
    streetlight (profile), 21 Jan 2016 @ 12:49pm

    The Internet of things including thermostats

    Didn't I read somewhere that Google's connected thermostat update drained the battery and prevented access. The result was that there was the possibility of a cold house and maybe frozen water pipes. Bad for folks who went to a warm place to get away from those Northern Minnesota temperatures and couldn't use their cell phones to warm up their houses.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 21 Jan 2016 @ 12:57pm

    I'm too dumb to properly configure smart appliances, so I use old-fashioned dumb appliances. Which means I'm safe and smart... I think the IOT is actually starting to give us idiots an advantage. Bow before us, brain-head thinky people!

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 21 Jan 2016 @ 1:08pm

    Re: Bad lock no signal

    The engineers who designed the Panama Canal locks did a pretty good job back in the day. And Lascco makes wonderful lox. Although, other than (maybe) Slartibartfast, I can't think of anyone who made lochs or loughs.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 21 Jan 2016 @ 1:17pm

    > Bow before us, brain-head thinky people!

    Of the few people I know who have been fooled into putting even just a "smart" thermostat in their homes, not one is what I would consider "smart".

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 21 Jan 2016 @ 2:27pm

    Re:

    Which is why they have to compensate for that with loads of smart thingies.

    link to this | view in thread ]

  17. icon
    JBDragon (profile), 21 Jan 2016 @ 2:38pm

    From what I just heard, this security issue was already FIXED!!! All RING Doorbells would automatically download and install this update as they all check for updates once a day.

    Here is where it was originally Reported.

    https://www.pentestpartners.com/blog/steal-your-wi-fi-key-from-your-doorbell-iot-wtf/

    Way down on the bottom of the page is says FIXED!!! This topic is now fear mongering or a issue that's already been taken care of. Anyone with a RING Doorbell is already cured!!!

    link to this | view in thread ]

  18. identicon
    Rekrul, 21 Jan 2016 @ 2:58pm

    HELP!

    I completely removed my front door in the name of convenience, but now thieves can just walk into my home. Does anyone know of a way I can secure my front doorway?

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 21 Jan 2016 @ 3:05pm

    Re:

    The issue of this particular vulnerability has been taken care of. I think the point's more that this sort of vulnerability shows up at all: you note all the security screw-ups across the board of smart-things and see if their frequency increases or decreases. It's nice to know if these fuck-ups are outliers or are part of an industry-wide, systemic carelessness.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 21 Jan 2016 @ 3:40pm

    If you're going to call out the particular vendor, in this case Ring, then you should also be balanced and say that they have ALREADY PATCHED the issue, before it was disclosed to the public. They have already pushed out an automatic update to all existing customers to patch the issue.

    This episode should be a warning to all IOT companies and potential customers, but also an example of an IOT company handling a discovered problem as well as possible.

    link to this | view in thread ]

  21. identicon
    Steve Moore, 21 Jan 2016 @ 3:44pm

    The problem here is

    This product boasts amongst other things a very poor design with fundamental flaws. As a software engineer in the I am horrified. This product was clearly built down to a price rather than up to a standard.

    link to this | view in thread ]

  22. icon
    Ryunosuke (profile), 21 Jan 2016 @ 4:02pm

    So how's those back doors (or in this case front doors) working out?

    link to this | view in thread ]

  23. icon
    z! (profile), 21 Jan 2016 @ 4:25pm

    Y'know, I already have a device that lets me see who's at the door. It's called a "window", and in over 50 years it hasn't needed batteries or an upgrade.

    link to this | view in thread ]

  24. identicon
    Tekmaniac, 21 Jan 2016 @ 4:38pm

    Re:

    Yes this was already fixed. In fact this company did it almost on the same day that it was reported. Which was last Friday. So you guys are a little behind here.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 21 Jan 2016 @ 5:50pm

    Re:

    Of course the nefarious fool will be wearing a mask.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 21 Jan 2016 @ 5:54pm

    Re: Re:

    Where is your willing suspension of disbelief?
    You are supposed to not think about what could possibly go wrong and simply buy their crapware and submit to their spying. What the hell is wrong with you?

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 21 Jan 2016 @ 5:57pm

    Re:

    "Doorbells would automatically download and install this update as they all check for updates once a day."

    This is a doorbell, ffs.
    Who the hell needs a doorbell anyway, make 'em knock on the door. Hey, is there an internet connected door knocker?

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 21 Jan 2016 @ 6:01pm

    Re:

    Yes, however - the issue is somewhat larger than one specific instance, it points toward a more pervasive lackadaisical attitude toward ones customers. This give a shit attitude can be seen across all industry, but let's just let them slide - not.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 21 Jan 2016 @ 7:25pm

    pounding square pegs in a circle

    Wtf are doorbells using wifi to begin with? That sounds just as sensible as using wifi in a car key's alarm dongle. Wouldn't a better alternative be to use an RF module?

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 21 Jan 2016 @ 7:49pm

    Re: The problem here is

    You could say the same about most Wi-fi routers, smartphones, or pretty much any commodity electronic device.

    link to this | view in thread ]

  31. identicon
    Mark Wing, 21 Jan 2016 @ 8:34pm

    Dogs have been the best security system since the dawn of man, and they're in no danger of becoming obsolete.

    Also, in Russia, doorbell rings you.

    link to this | view in thread ]

  32. icon
    snowchaser (profile), 21 Jan 2016 @ 9:16pm

    My thoughts as a Ring Owner

    I have a Ring doorbell. If somebody tried to remove it I would get a notification and the video of the person doing it would be uploaded to the cloud. Also, they are not standard screws on the door bell. They are a proprietary security hex. While it would not stop someone determined to take the doorbell because the mounting bracket is plastic and could be ripped of the wall it would also slow them down.

    So if somebody got my WiFi credentials by this method I would change the password. While it is unfortunate that they did not properly secure the device in the first place in the case the company did the right thing and immediately acknowledged and correct the issue. Which I suspect not all internet of things manufactures will do.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 21 Jan 2016 @ 9:31pm

    Re: Bad lock no signal

    Actually, good locks that are hard (not impossible) to pick are quite common and relatively well known (http://www.blackhat.com/presentations/bh-europe-08/Deviant_Ollam/Whitepaper/bh-eu-08-deviant_ollam- WP.pdf).

    Problem is, if your front door lock is hard to pick, and you get locked out of home... how do you get back in? In a locksmith can't pick the lock for you, then it's time to drill the lock out and replace it. Of course, if you want to protect against other parties drilling the lock out just as easily, then you are victim to the same difficulties if you ever need to break in.

    Physical locks don't *have* to be easy to pick. But most people want them that way, at least in their homes.

    link to this | view in thread ]

  34. icon
    That One Guy (profile), 21 Jan 2016 @ 9:59pm

    Re:

    Meanwhile, towards the bottom of this article...

    Fortunately the company behind the smart doorbell tells the research firm that they quickly issued a firmware patch for the problem, though obviously not all vulnerabilities get fixed this quickly, and it's one more example of "smart" technology being a great advertisement for more traditional, dumb devices.

    That it was a problem that was quickly fixed wasn't the point of the article, the point was showing yet another example of how 'smart' devices can be really stupid and open up security vulnerabilities and/or cause other problems.

    link to this | view in thread ]

  35. icon
    Ninja (profile), 22 Jan 2016 @ 3:28am

    Re: Re:

    And honestly, what would prevent a really focused attacker from faking a wireless connection and forcing a fake firmware update? I don't know how to fix this vulnerability because wires can be hacked as well but at least you can secure the wires behind a physical barrier.

    link to this | view in thread ]

  36. icon
    JustMe (profile), 22 Jan 2016 @ 5:09am

    Re: JBDragon

    There is a difference between 'a fix was issued' and 'a fix was applied by every home owner' pal, not to mention the gap between 'a fix was issued' and 'a fix works properly, isn't buggy, doesn't break some other core security component, and there aren't any other massive security flaws in this no-privacy-by-design product.'

    So no, not fear mongering, but instead educational content warning people of the actual/real/physical dangers these devices pose for the people that are on the inside of a house that is 'protected' by this device.

    link to this | view in thread ]

  37. icon
    ltlw0lf (profile), 22 Jan 2016 @ 8:25am

    Re:

    Dogs have been the best security system since the dawn of man, and they're in no danger of becoming obsolete.

    Unfortunately, dogs have a fatal design flaw in that they are alive and like to eat. A zombie dog would be a safer bet, since they wouldn't be interested in the steak laced with strychnine. An added benefit is their love of human brains.

    In all seriousness though, dogs are far more expensive than a cheap doorbell, which is why they tend to not have as much of an acceptance rate, plus attackers can easily trap the dog in a closet with a steak and go about their nefarious activities.

    link to this | view in thread ]

  38. identicon
    Richard Stallman, 24 Jan 2016 @ 2:59am

    Biggest Intruder

    Don't forget that the party best placed to intrude in your digital devices is the manufacturer. That is, if the software is proprietary rather than free/libre. A proprietary program is completely under the control of its developer. Famous developers such as Microsoft, Apple, Amazon and Google make malware a standard practice (see http://gnu.org/proprietary/ for examples and references). The rest very likely do the same -- but who knows?

    Let's demand free/libre software in "smart" devices, as in computers.
    See http://gnu.org/philosophy/free-software-even-more-important.html.

    link to this | view in thread ]

  39. icon
    myopia (profile), 30 Jan 2016 @ 11:48am

    Re:

    I think you (totally) miss the point here...

    No amount of 'firmware upgrade' is going to change the fact that 2 screws and a big red^H^H^H orange button are all that keep the bad guys from connecting to the device's management interface.

    What IDIOT thought it was a good idea to put the private access zone on the insecure side of the device? (probably the same one who doesn't know how to use a drill to bore a hole through the door!)


    There's an old adage... "never trust a programmer with a screwdriver."

    link to this | view in thread ]

  40. identicon
    TerryC, 1 Apr 2016 @ 9:21am

    Re: Dogs

    There use to be a show called "IT takes a Thief" (not the one with Robert Wagner.) In it an ex-thief and security guy would break into people's home (with their permission) to check their security setup. Many of these people had dogs. Typically the ex-thief stole the dog. No strychnine necessary. Feed the dog and they would follow him home.
    Dogs are good to warn you of an intruder. They might even scare off a non-violent intruder. In a home invasion, or if you are not there what you're most likely to end up with is a dead dog.

    link to this | view in thread ]

  41. identicon
    Alisha kristy, 21 Jul 2016 @ 4:30am

    Yes, I also like this Ding-Dong smart doorbell because of some new device. Its included some great features that make our life is so easy. It’s always saved our home. It’s not added LED flashing light. Otherwise, it will a great home doorbell.

    link to this | view in thread ]

  42. identicon
    Doorbell Hub, 18 May 2017 @ 10:36pm

    Amazing Info

    You got into my nerves. I am just now more aware and will let my users know about this concern

    link to this | view in thread ]

  43. identicon
    Skybell Vs Ring, 31 May 2017 @ 4:37am

    Skybell Vs Ring

    Beautiful Insights. Would definitely love to give a pingback to this article.

    link to this | view in thread ]

  44. identicon
    Joey5Picks, 14 Dec 2017 @ 2:09pm

    So it's fixed?

    "Fortunately the company behind the smart doorbell tells the research firm that they quickly issued a firmware patch for the problem"

    So everything leading up to this sentence is moot? There was a problem, they fixed it, right?

    And besides, the motion-sensing doorbell would notify you when someone was trying to remove it, so you'd be tipped off.

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 23 Dec 2017 @ 8:28am

    The MAFIAA had it coming.

    link to this | view in thread ]

  46. identicon
    Anonymous Coward, 31 Dec 2017 @ 11:39am

    Smart people don't connect all their stuff to the Internet.

    link to this | view in thread ]

  47. identicon
    Ashish Goswami, 18 Jan 2018 @ 7:38am

    Probably just getting a dog is still a better idea than having smart devices.

    link to this | view in thread ]

  48. identicon
    the Joker, 26 Jan 2019 @ 2:00pm

    ‘Wi-Fi deauthentication attack‘

    Errmmm...

    1) Why not just flood the target accesspoint with deauthentication packets. This will cause the target accesspoint to disconnect the wireless doorbell from the network??? No wifi no notification??

    link to this | view in thread ]

  49. identicon
    Anon, 27 Jan 2019 @ 4:32am

    Re: My thoughts as a Ring Owner

    To be fair there are far easier & stealthier ways to steal your wifi access. Like you say, if you get your ring stolen ( and you would know soon enough) you know to changed your password.. Losing your ring is more of a nuisance than losing your password.. :-/

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.