IoT doorbell gave up Wi-Fi passwords to anybody with a screwdriver

Ring doorbell

Here’s the physical security that the Wi-Fi enabled, Internet of Things Ring smart doorbell gives you: 1) automatic activation and notification on your mobile phone when people come close to your home or loiter around it, and 2) a CCTV camera and high-quality intercom to talk to whomever comes knocking, even if you’re miles away.

Here’s the physical hole it was putting in your Wi-Fi: somebody could easily pop it off your front door (it’s secured with two standard screws), flip it over, retrieve the Wi-Fi password, and Presto! own your network.

It was, says Pen Test Partners, which discovered the vulnerability, the latest IoT WTF.

To set it up, you have to connect the Ring to your Wi-Fi router, which means that you have to give it the password.

The set-up button is connected to a back plate that attaches the doorbell to the wall and can provide power from an AC source.

After you set it up, you attach it to the house with two Torx T4 screws.

The company’s aware that this makes it simple as pie to steal: that’s why Ring offers a free replacement if thieves pocket the gadget.

If thieves are more interested in intruding into your Wi-Fi network than grabbing a $200 doorbell, they can turn it over and press the setup button, which sets the doorbell’s wireless module – a Gainspan wireless unit – and creates an access point that’s simple to connect to.

From there, a snooper can connect to the Gainspan’s HTTP server.

Then, an intruder can request the URL /”gainspan/system/config/network” from the web server running on the Gainspan unit.

(This all has the aroma of default configuration, the firm said, given that it’s a standard Gainspan URL.)

The wireless configuration will be returned, including the configured network name (SSID) and pre-shared key (PSK) – a typical authentication method – in cleartext.

In sum, an attacker can gain access to a homeowner’s wireless network by unscrewing the Ring, pressing the setup button, and accessing the configuration URL, all without any visible form of tampering.

Given that it offers up a simple URL, it can also be done “quite easily” from a mobile device, such as a phone, Pen Test Partners says.

This is quite a fail: walk up to door, remove doorbell, retrieve users Wi-Fi key, own their network!

Pen Test Partners handed out kudos to Ring for responding to the vulnerability alert “within a matter of minutes,” with a firmware update released to fix the issue just two weeks after it was disclosed privately.

As Pen Test Partners posted in an update, there was a bit of confusion regarding whether the vulnerability had in fact been fixed.

But Ring pointed me to a post from Chief Technology Officer Joshua Roth, in which he said that 100% of active users are operating on a secure version of the firmware, version 1.6.39.

But there’s also a part 2 to Pen Test Partners update: it turns out that it’s possible to geolocate where in the world an unconfigured Ring doorbell is.

Pen Test Partners advises those who buy Ring doorbells to set them up immediately, rather than leave the gadgets sitting around, charged but unconfigured, as yet another piece of IoT bait for wardrivers sniffing out unsecured Wi-Fi networks.

Internet of Insecure Things?

From kettles to intruder alarms, baby monitors, and drug pumps, anything that is part of the Internet of Things needs security built in right from the start.

If you’re a programmer, and you’re enabling your latest electronic gadget to join the IoT, remember to think security, even if you never expect that device to be installed on the public-facing internet.