Amazon has patched a vulnerability in the Ring Android application which, left unchecked, had the potential to expose the personal data of Ring product owners, including their video recordings and location data, according to researchers at application security specialist Checkmarx.
The 20-strong Checkmarx team tests smart, connected products all the time from across a wide spectrum of manufacturers.
“The primary goal is really to figure out what the attack surface is for the consumer, how exposed we are as consumers, whether it’s in the banking industry, the IoT [internet of things] devices we have in our homes, our cars, even e-scooters – we have found some interesting things there,” said Checkmarx CEO Emmanuel Benzaquen. “Our role is responsible disclosure.”
One of the most widespread ranges of domestic connected devices on the market, Ring by Amazon is a suite of doorbells, home security cameras and various peripherals, and the accompanying Android management application has been downloaded more than 10 million times.
IoT devices such as the Ring range are interesting to Benzaquen because, by definition, they communicate with other devices. “Whenever you have a number of devices, you can have something that falls between the cracks,” he said.
“In other words, a standalone vulnerability can be non-exploitable with very low risk on a single product, but combined with another product from a comms standpoint, two low-level vulnerabilities on both products create a more exploitable vulnerability that you cannot see until you put the products together or have them communicate.”
The vulnerability in question is a good example of such a scenario. It existed in a specific activity that was implicitly exported in the Android manifest and accessible to other applications on the same device, and therefore exploitable if the user could be tricked into installing a malicious application.
Subject to a specific set of conditions, the attack chain would have redirected the user to a malicious web page to access a JavaScript interface granting access to a Java Web Token which, when combined with the Ring device’s hardware ID – which was hardcoded into the token – enabled an attacker to gain control of an authorisation cookie that could, in turn, be used to deploy Ring’s APIs to extract data including customer names, emails and phone numbers, and Ring data including geolocation, street address, and video recordings.
This established, the Checkmarx team deployed Amazon’s Rekognition computer vision technology against the extracted video data to perform automated analysis of these recordings and extract information that malicious actors could find useful. The team noted that other computer vision technologies, such as Google Vision or Azure Computer Vision, would also have worked.
The team demonstrated how this additional step could be used to read sensitive information from screens or documents visible to Ring cameras, and to track people around their homes, in effect transforming the unwitting victim’s Ring device into a malicious surveillance tool.
The issue was reported to Amazon’s Vulnerability Research Programme on 1 May 2022 and fixed in an update pushed on 27 May 2022 in version .51 of the app (3.51.0 for Android, 5.51.0 for iOS). Amazon said that the issue was potentially of high severity.
“We issued a fix for supported Android customers soon after the researchers’ submission was processed,” said an Amazon spokesperson.
“Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute.”
The Checkmarx team said it had been a pleasure to “collaborate so effectively” with Amazon, which swiftly took ownership and was responsible and professional throughout the disclosure and remediation process.
Even though this specific vulnerability was never exploited and would have been tough for an attacker to take advantage of, Benzaquen said he could see several potential scenarios where it could have become problematic – in this instance, the initial means of compromise would most likely have been through a phishing email – perhaps incorporating hijacked Amazon branding – convincing enough to trick them into downloading a malicious app to their smartphones.
“It does require a level of partnership with a target,” said Benzaquen. “You’ve got to have the target download a malicious app, which might sound very aggressive, but I can tell you that when my phone gets into my kids’ hands, I find it the next morning with some very interesting things on it.”
The attack chain’s utility to a determined nation-state threat actor conducting espionage or surveillance of its targets should also not be underestimated.
More broadly, the Ring vulnerability highlights how important it is for owners of connected home products to take more general precautions to protect themselves.
“Once you have one malicious application, you can propagate other attacks,” said Benzaquen. “That’s the danger.
“We need to be careful to make sure we don’t let ourselves be tricked into installing malicious applications – and that takes a bit of education.
“Generally speaking, I think we always need to be aware about anything fishy around our digital interaction with anything, whether it’s on the web, whether it’s on our mobile, and so on.”
Benzaquen added: “Both buying from known providers and downloading from known sources are good reflexes to build. Another one I think is very fundamental is anything that looks outside the norm, like asking for private data of any sort – there’s a very, very limited need for this kind of thing. It does require a level of awareness and alertness from the end-user, unfortunately, but that’s the way the world is.”