free counter

Amazon Ring vulnerability might have been used to spy on users

A now-patched vulnerability in the Amazon Ring mobile app might have been exploited to expose users video recordings, but was complex to exploit, based on the researchers who discovered it

Alex Scroxton


Published: 18 Aug 2022 14: 00

Amazon has patched a vulnerability in the Ring Android application which, left unchecked, had the potential to expose the non-public data of Ring product owners, including their video recordings and location data, in accordance with researchers atapplication security specialist Checkmarx.

The 20-strong Checkmarx team tests smart, connected products at all times from across a broad spectral range of manufacturers.

The principal goal is actually to determine what the attack surface is for the buyer, how exposed we have been as consumers, whether its in the banking industry, the IoT [internet of things] devices we’ve inside our homes, our cars, even e-scooters we’ve found some interesting things there, said Checkmarx CEO Emmanuel Benzaquen. Our role is responsible disclosure.

Probably the most widespread ranges of domestic connected devices available, Ring by Amazon is really a suite of doorbells, security cameras and different peripherals, and the accompanying Android management application has been downloaded a lot more than 10 million times.

IoT devices like the Ring range are interesting to Benzaquen because, by definition, they talk to other devices. Once you have several devices, you could have a thing that falls between your cracks, he said.

Quite simply, a standalone vulnerability could be non-exploitable with suprisingly low risk about the same product, but coupled with another product from the comms standpoint, two low-level vulnerabilities on both products develop a more exploitable vulnerability that you cannot see and soon you put the merchandise together or keep these things communicate.

The vulnerability involved is an excellent example of this type of scenario. It existed in a particular activity that has been implicitly exported in the Android manifest and accessible to other applications on a single device, and for that reason exploitable if an individual could possibly be tricked into installing a malicious application.

At the mercy of a specific group of conditions, the attack chain could have redirected an individual to a malicious website to gain access to a JavaScript interface granting usage of a Java Web Token which, when combined with Ring devices hardware ID that was hardcoded in to the token enabled an attacker to get control of an authorisation cookie which could, in turn, be utilized to deploy Rings APIs to extract data including customer names, emails and telephone numbers, and Ring data including geolocation, street address, and video recordings.

This established, the Checkmarx team deployed Amazons Rekognition computer vision technology contrary to the extracted video data to execute automated analysis of the recordings and extract information that malicious actors may find useful. The team noted that other computer vision technologies, such as for example Google Vision or Azure Computer Vision, would likewise have worked.

The team demonstrated how this additional step could possibly be used to learn sensitive information from screens or documents noticeable to Ring cameras, also to track people around their homes, in place transforming the unwitting victims Ring device right into a malicious surveillance tool.

The problem was reported to Amazons Vulnerability Research Programme on 1 May 2022 and fixed within an update pushed on 27 May 2022 in version .51 of the app (3.51.0 for Android, 5.51.0 for iOS). Amazon said that the problem was potentially of high severity.

We issued a fix for supported Android customers immediately after the researchers submission was processed, said an Amazon spokesperson.

Predicated on our review, no customer information was exposed. This matter will be extremely problematic for one to exploit, since it requires an unlikely and complex group of circumstances to execute.

The Checkmarx team said it turned out a pleasure to collaborate so effectively with Amazon, which swiftly took ownership and was responsible and professional through the entire disclosure and remediation process.

Despite the fact that this type of vulnerability was never exploited and could have been tough for an attacker to benefit from, Benzaquen said he could see several potential scenarios where it might have grown to be problematic in this situation, the initial method of compromise would probably have been by way of a phishing email perhaps incorporating hijacked Amazon branding convincing enough to trick them into downloading a malicious app with their smartphones.

It can require a degree of partnership with a target, said Benzaquen. Youve surely got to have the mark download a malicious app, which can sound very aggressive, but I could tell you that whenever my phone enters my kids hands, I think it is another morning with some very interesting things onto it.

The attack chains utility to a determined nation-state threat actor conducting espionage or surveillance of its targets also needs to not be underestimated.

More broadly, the Ring vulnerability highlights how important it really is for owners of connected home products to take more general precautions to safeguard themselves.

After you have one malicious application, it is possible to propagate other attacks, said Benzaquen. Thats the chance.

We have to be cautious to be sure we dont let ourselves be tricked into installing malicious applications and that requires a little bit of education.

In most cases, I believe we always have to be aware of anything fishy around our digital interaction with anything, whether its on the internet, whether its on our mobile, and so forth.

Benzaquen added: Both buying from known providers and downloading from known sources are good reflexes to create. Another one I believe is quite fundamental is whatever looks beyond your norm, like requesting private data of any sort theres an extremely, very limited dependence on this sort of thing. It can require a degree of awareness and alertness from the end-user, unfortunately, but thats what sort of world is.

Read more on Endpoint security

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker