Ring Doorbell Security Flaw Is Part of a Bigger Problem

The era of the Internet of Things ushered in innovations, better convenience, and more personal safety, but it also brought with it a host of security flaws.

Wi-Fi routers were some of the first devices to be attacked on a large scale, giving hackers access to entire networks. Wireless medical implants have also been infiltrated, leading to terrifying speculation about what a nefarious operative could do with access to a patient’s pacemaker or an insulin pump. Now, even our homes can be a target… not just the devices in the home, but the building itself.

The Ring doorbell, an IoT gadget that replaces your existing doorbell, connects over your home Wi-Fi to your smartphone. It lets you “answer” the door with your phone, giving you the ability to see who is at the door, hear that person’s voice and even speak back. The range on Ring is virtually limitless since the home Wi-Fi is talking to the smartphone app, which receives its signal over Wi-Fi or cellular. You could answer the door while you’re at work or on vacation, theoretically thwarting an intrusion.

Ring even offers the ability to record what’s going on outside the house, turning your doorbell into a security camera. There have already been several instances where the homeowner’s Ring either prevented an attack or led to an arrest in a crime.

So what about the flaw? Ring has to connect to your smartphone via its app in order to offer you this convenience and peace of mind. The app is installed on every users’ phone in that household, or at least the people who should be answering the door. One Ring user found out the hard way that the app remains connected to the doorbell even if a particular smartphone owner no longer lives at the residence and even if there’s a password change.

The Ring owner in question made news recently after suffering a romantic breakup. Unbeknownst to the homeowner, the member of the relationship who’d moved out was still able to access the video footage from the doorbell and therefore was able to see who was coming over. This person was also able to ring the doorbell at any time, including in the middle of the night.

The problem was in the way the account and the app “spoke” to each other. Changing the password on the account didn’t block anyone or require the password to be re-entered on the app. Ring has now announced that they’ve fixed this flaw but also reports that it can take up to an hour to remove someone’s app access once the password is changed.

This issue might seem minor compared to other kinds of newsworthy security breaches, but it demonstrates a few key points about our technology. First, we might be a little too quick to adopt the latest connected device, especially if it doesn’t have all the bugs worked out. Also, what are we giving up when we download an app or connect a new gadget to our Wi-Fi? Finally, those permissions and passwords that we turn over to an app don’t work the same way in every app, so it’s up to consumers to understand how it functions.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.