A vulnerability in the Android version of the Ring app, which is used to remotely manage Amazon Ring outdoor (video doorbell) and indoor surveillance cameras, could have been exploited by attackers to extract users’ personal data and device’s data, including geolocation, address, and recordings.
The vulnerability was discovered by Checkmarx researchers, who went one step further and demonstrated how an attacker could later analyze huge numbers of recordings with the help of computer vision technology, to extract additional sensitive information (e.g., from computer screens or paper documents) and material (e.g., video records or images of children).
About the vulnerability
“The vulnerability was found in the com.ringapp/com.ring.nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, as such, was accessible to other applications on the same device,” the researchers explained.
The specific bug and exploitation details can be found here but, in short: if attackers had managed to trick RIng users into downloading a specially crafted malicious app, the app could have exploited the vulnerability to grab the authentication token and hardware ID that would have allowed attackers to access the customer’s Ring account through multiple Ring APIs.
This would have allowed them to exfiltrate the victims’ personal (name, email, phone number) and Ring device data (geolocation, address, and recordings) stored in the cloud.
But that’s not all: the vulnerability could have allowed attackers to harvest millions of recordings from a great number of users and, with the help of machine learning technology, automate the discovery of sensitive information or materials.
“[Amazon] Rekognition can be used to automate the analysis of these recordings and extract information that could be useful for malicious actors. Rekognition can scan an unlimited number of videos and detect objects, text, faces, and public figures, among other things,” the researchers noted.
The bug has been fixed
The good news is that the researchers have privately reported the vulnerability to the Amazon Ring development team, and they fixed it in version .51 (3.51.0 Android , 5.51.0 iOS) of the Ring mobile app.
“Based on our review, no customer information was exposed,” Amazon told the researchers, and added that “this issue would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute.”
Nevertheless, now that the knowledge is public, Ring users should check whether they’ve already upgraded to a fixed version of the app and, if they haven’t, to do so straight away.