Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ring Camera Recordings Exposed Due to Vulnerability in Android App

A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.

A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.

Checkmarx researchers discovered earlier this year that the official Ring Android app, which has been installed more than 10 million times from Google Play, was affected by several issues that could be chained to obtain information such as name, email address, phone number, physical address, geolocation data, and camera recordings.

The attack relies on a malicious application installed on the same Android device as the Ring camera app. Exploitation involves loading content from a malicious web page, exfiltrating an authorization token to the attacker’s server, and using the token to obtain a cookie needed to call Ring APIs. These APIs could then be abused to obtain sensitive user data and recordings.

Checkmarx made the technical details of the attack public on Thursday, along with a video describing its potential impact.

Researchers demonstrated potential impact by using Amazon’s image and video analysis service Rekognition to automate the analysis of recordings taken from Ring cameras in an effort to find sensitive data or information that could be valuable to an attacker. They showed how an attacker could find sensitive data from screens or documents, and track people’s movements in a room monitored by a Ring camera.

The vulnerability was reported to Amazon through its bug bounty program on May 1 and an Android app update that patches the flaw was released on May 27.

We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed, a Ring spokesperson told SecurityWeek.

Advertisement. Scroll to continue reading.

It’s not uncommon for hackers to target Ring products, and Amazon has even faced lawsuits from customers who had their cameras hacked.

*updated with statement from Ring

Related: Ring Doorbell App for Android Sends Out Loads of User Data

Related: Smart, or Not So Smart? What the Ring Hacks Tell Us About the Future of IoT

Related: Serious Vulnerabilities Found in Firmware Used by Many IP Camera Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.