Ring – how to crack the Wi-Fi doorbell
Specialists companies Pen Test Partners describe a simple method that allows you to see your password on your home wireless network after spending an attack on the doorbell. The process takes a few minutes and can be made transparent to the owner.
Solutions from the field of IoT are becoming available, but often they threaten the security rather than improve it. Now they appeared on the market “smart” doorbells of different firms. One of the popular models – Ring – is equipped with a proximity sensor, camera, speaker and the module Wi-Fi 802.11 b / g / n 2.4 GHz. Such calls can be easily connected to a home wireless network and become part of the security system.
Ring activates the recording by pressing a button or self-fixing approach. Video and audio are transmitted on a smartphone or other mobile device owners through the Internet. The free app Ring App is available for OS Android, iOS and Windows 10. For an additional fee of $ 3 per month, you can connect corporate cloud service for archiving video.
Optional call is connected to the electronic lock, so this allows you to manage security door remotely. Right on your phone, you can see who came to answer the visitor through the built-in speaker, or open the door for him, even while away from home.
This would seem obvious convenience and a step towards a “smart home”, but at the level of implementation is not so smooth. During the study, the experts found Pen Test Partners mismatch Ring basic safety requirements. Videocall easily removed from the fixtures. Aware of this problem, the company even guarantees the free replacement of the stolen unit. However, to find out your password Wi-Fi, the call did not necessarily take home.
On its reverse side has an orange button that, when clicked, translated Ring setting mode. This built-in HTTP-server Gainspan starts as a point of Wi-Fi access with a standard name: Ring-XXX, where XXX – last three octets of the MAC-address.
For video calls Ring in access point mode, you can connect without authorization known address: http://192.168.240.1. Just type it into your browser and go to the Configuration tab: http://192.168.240.1/gainspan/system/config/network
This page displays the basic wireless settings of the call, including the SSID used by the Wi-Fi network and the password to connect to it. Key PSK Set in tags [password]. It is displayed in plain text form, as well as all other data.
Calculating the developer are that the company did not shut down the dangerous functions embedded HTTP-server and does not use additional security measures – such as encryption of configuration files, access authorization and complexity of physical access to the outside.
After getting acquainted with the results of Ring, the developers have changed the mounting system and released a new version of firmware. Patched modules video call does not store passwords in the clear. However, they left the other vulnerabilities associated with light physical access to e-filling. To solve their need is already on the physical level.