A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.
Checkmarx researchers discovered earlier this year that the official Ring Android app, which has been installed more than 10 million times from Google Play, was affected by several issues that could be chained to obtain information such as name, email address, phone number, physical address, geolocation data, and camera recordings.
The attack relies on a malicious application installed on the same Android device as the Ring camera app. Exploitation involves loading content from a malicious web page, exfiltrating an authorization token to the attacker’s server, and using the token to obtain a cookie needed to call Ring APIs. These APIs could then be abused to obtain sensitive user data and recordings.
Checkmarx made the technical details of the attack public on Thursday, along with a video describing its potential impact.
Researchers demonstrated potential impact by using Amazon’s image and video analysis service Rekognition to automate the analysis of recordings taken from Ring cameras in an effort to find sensitive data or information that could be valuable to an attacker. They showed how an attacker could find sensitive data from screens or documents, and track people’s movements in a room monitored by a Ring camera.
The vulnerability was reported to Amazon through its bug bounty program on May 1 and an Android app update that patches the flaw was released on May 27.
“We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed,” a Ring spokesperson told SecurityWeek.
It’s not uncommon for hackers to target Ring products, and Amazon has even faced lawsuits from customers who had their cameras hacked.
*updated with statement from Ring