Here’s the physical security that the Wi-Fi enabled, Internet of Things Ring smart doorbell gives you:

1) automatic activation and notification on your mobile phone when people come close to your home or loiter around it, and 2) a CCTV camera and high-quality intercom to talk to whomever comes knocking, even if you’re miles away.

Here’s the physical hole it was putting in your Wi-Fi: somebody could easily pop it off your front door (it’s secured with two standard screws), flip it over, retrieve the Wi-Fi password, and Presto! own your network.

To set it up, you have to connect the Ring to your Wi-Fi router, which means that you have to give it the password.The set-up button is connected to a back plate that attaches the doorbell to the wall providing power from an AC source. After you set it up, you attach it to the house with two screws.

If thieves are more interested in intruding into your Wi-Fi network than grabbing a $200 doorbell, they can turn it over and press the setup button, which sets the doorbell’s wireless module and creates an access point that’s simple to connect to.

In sum, an attacker can gain access to a homeowner’s wireless network by unscrewing the Ring, pressing the setup button, and accessing the configuration URL, all without any visible form of tampering..

Pen Test Partners, the company that found the vulnerability, did however, hand out kudos to Ring for responding to the vulnerability alert “within a matter of minutes,” with a firmware update released to fix the issue just two weeks after it was disclosed privately.

Internet of Insecure Things?

From kettles to intruder alarms, baby monitors, and drug pumps, anything that is part of the Internet of Things needs security built in right from the start.

Excerpt from Naked Security by Sophos, LLC  by Lisa Vaas

No comments: