Subscribe

Video security —

Ring patched an Android bug that could have exposed video footage

After a chain of attacks, security firm got access to locations and recordings.

-

Ring camera images give you a view of what's happening and, in one security firm's experiments, a good base for machine learning surveillance.
Enlarge / Ring camera images give you a view of what's happening and, in one security firm's experiments, a good base for machine learning surveillance.
Ring

Amazon quietly but quickly patched a vulnerability in its Ring app that could have exposed users' camera recordings and other data, according to security firm Checkmarx.

Checkmarx researchers write in a blog post that Ring's Android app, downloaded more than 10 million times, made an activity available to all other applications on Android devices. Ring's com.ring.nh.deeplink.DeepLinkActivity would execute any web content given to it, so long as the address included the text /better-neighborhoods/.

That alone would not have granted access to Ring data, but Checkmarx was able to use a cross-site scripting vulnerability in Ring's internal browser to point it at an authorization token. Next, Checkmarx obtained a session cookie by authorizing that token and its hardware identifier at a Ring endpoint and then used Ring's APIs to extract names, email addresses, phone numbers, Ring device data (including geolocation), and saved recordings.

Checkmarx's video, featuring footage tests and a hoodie-wearing hacker.

And then Checkmarx kept going. With access to its own example users' recordings and any number of machine-learning-powered computer vision services (including Amazon's own Rekognition), the security firm went wide-angle. You could, the firm found in its tests, scan for:

  • Safes, and potentially their combinations
  • Images of documents containing the words "Top Secret" or "Private"
  • Known celebrities and political figures
  • Passwords and passcodes
  • Children, alone, in view of a Ring camera

To be clear, the vulnerability was seemingly never exploited in the wild. Checkmarx reported it on May 1, Amazon confirmed its receipt the same day, and a fix was released (3.51.0 for Android, 5.51.0 for iOS). Checkmarx says that Amazon responded to the high-severity issue with acknowledgment but also deferral. "This issue would be extremely difficult for anyone to exploit because it requires an unlikely and complex set of circumstances to execute," Amazon told Checkmarx.

Erez Yalon, VP of security research at Checkmarx, told The Record that taped-together vulnerabilities are coveted among hackers.

"Each would be problematic, but chaining them together, something hackers always try to do, made it so impactful."

(Update 1:50 p.m. ET: Updated to correct spelling of Erez Yalon's name. Ars regrets the error.)

Kevin Purdy Kevin is a senior technology reporter at Ars Technica, covering a variety of technology topics and reviewing products. He started his writing career as a newspaper reporter, covering business, crime, and other topics. He has written about technology and computing for more than 15 years.

Channel Ars Technica

Related Stories

    Today on Ars