Skip to content
Naked Security Naked Security

IoT doorbell gave up Wi-Fi passwords to anybody with a screwdriver

Anybody could unscrew the Ring off a front door, flip it, retrieve the Wi-Fi password, and Presto! own your network.

Here’s the physical security that the Wi-Fi enabled, Internet of Things Ring smart doorbell gives you: 1) automatic activation and notification on your mobile phone when people come close to your home or loiter around it, and 2) a CCTV camera and high-quality intercom to talk to whomever comes knocking, even if you’re miles away.

Here’s the physical hole it was putting in your Wi-Fi: somebody could easily pop it off your front door (it’s secured with two standard screws), flip it over, retrieve the Wi-Fi password, and Presto! own your network.

It was, says Pen Test Partners, which discovered the vulnerability, the latest IoT WTF.

To set it up, you have to connect the Ring to your Wi-Fi router, which means that you have to give it the password.

The set-up button is connected to a back plate that attaches the doorbell to the wall and can provide power from an AC source.

After you set it up, you attach it to the house with two Torx T4 screws.

The company’s aware that this makes it simple as pie to steal: that’s why Ring offers a free replacement if thieves pocket the gadget.

If thieves are more interested in intruding into your Wi-Fi network than grabbing a $200 doorbell, they can turn it over and press the setup button, which sets the doorbell’s wireless module – a Gainspan wireless unit – and creates an access point that’s simple to connect to.

From there, a snooper can connect to the Gainspan’s HTTP server.

Then, an intruder can request the URL /”gainspan/system/config/network” from the web server running on the Gainspan unit.

(This all has the aroma of default configuration, the firm said, given that it’s a standard Gainspan URL.)

The wireless configuration will be returned, including the configured network name (SSID) and pre-shared key (PSK) – a typical authentication method – in cleartext.

In sum, an attacker can gain access to a homeowner’s wireless network by unscrewing the Ring, pressing the setup button, and accessing the configuration URL, all without any visible form of tampering.

Given that it offers up a simple URL, it can also be done “quite easily” from a mobile device, such as a phone, Pen Test Partners says.

This is quite a fail: walk up to door, remove doorbell, retrieve users Wi-Fi key, own their network!

Pen Test Partners handed out kudos to Ring for responding to the vulnerability alert “within a matter of minutes,” with a firmware update released to fix the issue just two weeks after it was disclosed privately.

As Pen Test Partners posted in an update, there was a bit of confusion regarding whether the vulnerability had in fact been fixed.

But Ring pointed me to a post from Chief Technology Officer Joshua Roth, in which he said that 100% of active users are operating on a secure version of the firmware, version 1.6.39.

But there’s also a part 2 to Pen Test Partners update: it turns out that it’s possible to geolocate where in the world an unconfigured Ring doorbell is.

Pen Test Partners advises those who buy Ring doorbells to set them up immediately, rather than leave the gadgets sitting around, charged but unconfigured, as yet another piece of IoT bait for wardrivers sniffing out unsecured Wi-Fi networks.

Internet of Insecure Things?

From kettles to intruder alarms, baby monitors, and drug pumps, anything that is part of the Internet of Things needs security built in right from the start.

If you’re a programmer, and you’re enabling your latest electronic gadget to join the IoT, remember to think security, even if you never expect that device to be installed on the public-facing internet.

12 Comments

I own one, it works great. I see you corrected your original statement that it is secured with standard screws. It is secured with Torx screws which is much different and makes it more physically secure. Also while you are doing all of this my Ring is capturing video of you, walking up to my door, unscrewing the bell, etc. It is cloud recorded. So I review the video and change my network password and you own nothing other than the knowledge I have shared your trespassing with the police. All on video. Might be a vulnerability but not really worth it.

Torx screws can be considered “more physically secure” inasmuch as the heads are designed not to strip so easily when you try to tighten them up or undo them. This is, indeed, handy when the screw is exposed to the elements and is thus more likely to seize and need some serious force to get loose. In other words, you can argue that a doorbell secured with Torx screws can more reliably and more easily be undone than one secured with some other sort of screw.

You have to consider the Torx head to be a “standard screw” these days. Heck, it’s hard to buy a boxed set of hex-socket (Allen key) driver bits these days (a lot of bicycle components still use them) without getting a set of Torx bits, flat bits and Phillips bits thrown in at the same “for completeness.”

(Like those cheapo socket sets that have metric and wacky-size tools in the same box because it’s easier than having two SKUs with half the sockets in each :-)

In other words, assuming that Torx is safer against crooks because the Bad Guys might not have a T4 on their multitool is security through obscurity. I advise against relying on it!

I have to ask (and this is a serious question), who would bother going to all this trouble just to get a network password for a random house in anywhere USA? Is this really a serious problem? I would think that hackers getting into the Point of Sales units at large box stores (Target, Home Depot, et al) is something more worrying

My company installed one of these against my protests. In order to secure it, I created a separate, isolated VLAN with an access list to restrict it down to only being able to talk with just the few things it needed to on the public Internet, and nothing on my own network. I then attached that network to a separate SSID from my wireless AP.

To answer your question, if I had not done that work to restrict it, and had simply connected it to a general wireless network, then compromising that SSID and password would give the attacker direct access to my entire network.

Something else to consider about this: my primary wireless network, and most wireless networks at big companies that have dedicated security teams will have WPA2 Enterprise wireless. Small mom and pop shops without dedicated security teams will have WPA2 Personal wireless. This doorbell only works on WPA2 Personal. So, your small shop without anyone dedicated to security would probably just stick this device on the same WPA2 Personal network that comprises their entire office network.

But just think how much time and money you saved by not having to wire up the doorbell in the first place! That probably saved you at least 5% of the effort you needed to figure out how to deploy the wireless doorbell safely :-)

Shame on your company for using a $199 security solution meant for domestic use.

Surely for $200 a bit of security is reasonable to expect :-) (The vendor seems to think so given they fixed it super-quickly!)

It’s only “a random house” until it’s *your* house that gets hit :-)

(Crooks *do* target houses street by street, for example to get credit card mailings or other PII out of mailboxes – data they can then sell on. And that’s the thing: this vulnerability *could* have been a problem, albeit a small one, and so it mattered, and so it was fixed.)

I’m surprised that naked security would post about this in this manner. The VULN was disclosed privately and responded to by Ring within two minutes, as reported by the author of the original post (which was easy to find). So the issue I have is with the reporting: This issue was fixed before any publication of the VULN – which was clear to anyone who did their homework. This post would lead someone to believe that it is a current VULN. The post should have written about this VULN in the past tense, which would have been the post 100% correct.I would hate to think that sensationalism trumped factual reporting.

Errrr, we did use the past tense to talk about the vulnerability. (For example, see the headline.)

We also wrote that “Pen Test Partners handed out kudos to Ring for responding to the vulnerability alert ‘within a matter of minutes’, with a firmware update released to fix the issue just two weeks after it was disclosed privately.”

We also reported that the doorbell vendor already claimed that every device in the field now has the update.

I’m sorry, but I can’t see how anybody could infer from the article that this is a current vulnerability, considering that we explicitly describe it as fixed and the patches delivered…

WOW! How serious can this be? I mean, is it not safe to use wireless doorbells at home? I do own a Ring doorbell and this article came up unexpectedly. It worries me a lot and please reply if I have to worry about this!

Couldn’t you just take a photo of password and put name of camera position on it, put in a secure place then remove password from the back of your camera?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?