A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.
Checkmarx researchers discovered earlier this year that the official Ring Android app, which has been installed more than 10 million times from Google Play, was affected by several issues that could be chained to obtain information such as name, email address, phone number, physical address, geolocation data, and camera recordings.
The attack relies on a malicious application installed on the same Android device as the Ring camera app. Exploitation involves loading content from a malicious web page, exfiltrating an authorization token to the attacker’s server, and using the token to obtain a cookie needed to call Ring APIs. These APIs could then be abused to obtain sensitive user data and recordings.
Checkmarx made the technical details of the attack public on Thursday, along with a video describing its potential impact.
Researchers demonstrated potential impact by using Amazon’s image and video analysis service Rekognition to automate the analysis of recordings taken from Ring cameras in an effort to find sensitive data or information that could be valuable to an attacker. They showed how an attacker could find sensitive data from screens or documents, and track people’s movements in a room monitored by a Ring camera.
The vulnerability was reported to Amazon through its bug bounty program on May 1 and an Android app update that patches the flaw was released on May 27.
“We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed,” a Ring spokesperson told SecurityWeek.
It’s not uncommon for hackers to target Ring products, and Amazon has even faced lawsuits from customers who had their cameras hacked.
*updated with statement from Ring
Related: Ring Doorbell App for Android Sends Out Loads of User Data
Related: Smart, or Not So Smart? What the Ring Hacks Tell Us About the Future of IoT
Related: Serious Vulnerabilities Found in Firmware Used by Many IP Camera Vendors
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
