Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ring Camera Recordings Exposed Due to Vulnerability in Android App

A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.

A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.

Checkmarx researchers discovered earlier this year that the official Ring Android app, which has been installed more than 10 million times from Google Play, was affected by several issues that could be chained to obtain information such as name, email address, phone number, physical address, geolocation data, and camera recordings.

The attack relies on a malicious application installed on the same Android device as the Ring camera app. Exploitation involves loading content from a malicious web page, exfiltrating an authorization token to the attacker’s server, and using the token to obtain a cookie needed to call Ring APIs. These APIs could then be abused to obtain sensitive user data and recordings.

Checkmarx made the technical details of the attack public on Thursday, along with a video describing its potential impact.

Researchers demonstrated potential impact by using Amazon’s image and video analysis service Rekognition to automate the analysis of recordings taken from Ring cameras in an effort to find sensitive data or information that could be valuable to an attacker. They showed how an attacker could find sensitive data from screens or documents, and track people’s movements in a room monitored by a Ring camera.

The vulnerability was reported to Amazon through its bug bounty program on May 1 and an Android app update that patches the flaw was released on May 27.

We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed, a Ring spokesperson told SecurityWeek.

It’s not uncommon for hackers to target Ring products, and Amazon has even faced lawsuits from customers who had their cameras hacked.

*updated with statement from Ring

Related: Ring Doorbell App for Android Sends Out Loads of User Data

Related: Smart, or Not So Smart? What the Ring Hacks Tell Us About the Future of IoT

Related: Serious Vulnerabilities Found in Firmware Used by Many IP Camera Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.