• Tech News
  • Fintech
  • Startup
  • Games
  • Ar & Vr
  • Reviews
  • How To
  • More
    • Mobile Tech
    • Pc & Laptop
    • Security
What's Hot

Supermouth Ultim8 electric toothbrush review: Gentle giant

August 20, 2025

Samsung Galaxy Watch 8 Review: A solid albeit unexciting smartwatch

August 19, 2025

Huawei MatePad 11.5 review: iPad rival that’s missing a trick

August 17, 2025
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
  • Fintech
  • Startup
  • Games
  • Ar & Vr
  • Reviews
  • How To
  • More
    • Mobile Tech
    • Pc & Laptop
    • Security
Behind The ScreenBehind The Screen
Home»Tech News»Amazon Ring vulnerability could have been used to spy on users
Tech News

Amazon Ring vulnerability could have been used to spy on users

August 19, 2022No Comments5 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Amazon Ring vulnerability could have been used to spy on users
Share
Facebook Twitter LinkedIn Pinterest Email

Amazon has patched a vulnerability within the Ring Android utility which, left unchecked, had the potential to show the non-public knowledge of Ring product homeowners, together with their video recordings and site knowledge, in accordance with researchers at utility safety specialist Checkmarx.

The 20-strong Checkmarx workforce checks good, related merchandise on a regular basis from throughout a large spectrum of producers.

“The first objective is de facto to determine what the assault floor is for the buyer, how uncovered we’re as shoppers, whether or not it’s within the banking business, the IoT [internet of things] units we have now in our properties, our automobiles, even e-scooters – we have now discovered some attention-grabbing issues there,” stated Checkmarx CEO Emmanuel Benzaquen. “Our function is accountable disclosure.”

One of the crucial widespread ranges of home related units in the marketplace, Ring by Amazon is a collection of doorbells, house safety cameras and numerous peripherals, and the accompanying Android administration utility has been downloaded greater than 10 million instances.

IoT units such because the Ring vary are attention-grabbing to Benzaquen as a result of, by definition, they convey with different units. “Each time you might have a lot of units, you’ll be able to have one thing that falls between the cracks,” he stated.

“In different phrases, a standalone vulnerability may be non-exploitable with very low threat on a single product, however mixed with one other product from a comms standpoint, two low-level vulnerabilities on each merchandise create a extra exploitable vulnerability that you simply can not see till you set the merchandise collectively or have them talk.”

See also  The best iPhone docks for 2022

The vulnerability in query is an efficient instance of such a state of affairs. It existed in a particular exercise that was implicitly exported within the Android manifest and accessible to different purposes on the identical machine, and due to this fact exploitable if the consumer could possibly be tricked into putting in a malicious utility.

Topic to a particular set of circumstances, the assault chain would have redirected the consumer to a malicious net web page to entry a JavaScript interface granting entry to a Java Internet Token which, when mixed with the Ring machine’s {hardware} ID – which was hardcoded into the token – enabled an attacker to achieve management of an authorisation cookie that might, in flip, be used to deploy Ring’s APIs to extract knowledge together with buyer names, emails and cellphone numbers, and Ring knowledge together with geolocation, avenue deal with, and video recordings.

This established, the Checkmarx workforce deployed Amazon’s Rekognition laptop imaginative and prescient expertise towards the extracted video knowledge to carry out automated evaluation of those recordings and extract info that malicious actors might discover helpful. The workforce famous that different laptop imaginative and prescient applied sciences, akin to Google Imaginative and prescient or Azure Pc Imaginative and prescient, would even have labored.

The workforce demonstrated how this extra step could possibly be used to learn delicate info from screens or paperwork seen to Ring cameras, and to trace individuals round their properties, in impact remodeling the unwitting sufferer’s Ring machine right into a malicious surveillance software.

The problem was reported to Amazon’s Vulnerability Analysis Programme on 1 Might 2022 and glued in an replace pushed on 27 Might 2022 in model .51 of the app (3.51.0 for Android, 5.51.0 for iOS). Amazon stated that the difficulty was probably of excessive severity.

See also  Tutanota cries antitrust foul over Microsoft Teams blocking sign-ups for its email users – DailyTech

“We issued a repair for supported Android prospects quickly after the researchers’ submission was processed,” stated an Amazon spokesperson.

“Primarily based on our evaluation, no buyer info was uncovered. This problem can be extraordinarily tough for anybody to use, as a result of it requires an unlikely and complicated set of circumstances to execute.”

The Checkmarx workforce stated it had been a pleasure to “collaborate so successfully” with Amazon, which swiftly took possession and was accountable {and professional} all through the disclosure and remediation course of.

Regardless that this particular vulnerability was by no means exploited and would have been powerful for an attacker to benefit from, Benzaquen stated he might see a number of potential situations the place it might have turn out to be problematic – on this occasion, the preliminary technique of compromise would almost certainly have been via a phishing e mail – maybe incorporating hijacked Amazon branding – convincing sufficient to trick them into downloading a malicious app to their smartphones.

“It does require a degree of partnership with a goal,” stated Benzaquen. “You’ve obtained to have the goal obtain a malicious app, which could sound very aggressive, however I can let you know that when my cellphone will get into my children’ fingers, I discover it the subsequent morning with some very attention-grabbing issues on it.”

The assault chain’s utility to a decided nation-state menace actor conducting espionage or surveillance of its targets must also not be underestimated.

Extra broadly, the Ring vulnerability highlights how necessary it’s for homeowners of related house merchandise to take extra basic precautions to guard themselves.

See also  Dubai-based Stake raises $8 million to let people across the globe invest in local properties – DailyTech

“After you have one malicious utility, you’ll be able to propagate different assaults,” stated Benzaquen. “That’s the hazard.

“We must be cautious to ensure we don’t let ourselves be tricked into putting in malicious purposes – and that takes a little bit of training.

“Usually talking, I feel we all the time must be privy to something fishy round our digital interplay with something, whether or not it’s on the internet, whether or not it’s on our cellular, and so forth.”

Benzaquen added: “Each shopping for from recognized suppliers and downloading from recognized sources are good reflexes to construct. One other one I feel could be very elementary is something that appears outdoors the norm, like asking for personal knowledge of any type – there’s a really, very restricted want for this sort of factor. It does require a degree of consciousness and application from the end-user, sadly, however that’s the best way the world is.”

Source link

Amazon Ring Spy Users Vulnerability
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Oppo A40 review: Absurdly cheap, but for casual users only

August 14, 2025

Stuck in the Past? This Many iPhone Users Haven’t Upgraded to iOS 18

June 7, 2025

Are European iPhone Users About to Start Losing Features?

June 3, 2025

10 iPhone Features That Users Find Annoying

May 26, 2025
Add A Comment

Comments are closed.

Editors Picks

ASX takes A$250m hit after scrapping DLT-based Chess replacement project

November 18, 2022

Seven Pro FaceTime Features You Didn’t Know About

March 9, 2023

Apple’s Friday Night Baseball Returns April 7 — With a Catch

March 23, 2023

Plaid lays off 20% of staff, CEO says the fintech company ‘hired and invested ahead of revenue growth’ • Fintech

December 7, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Supermouth Ultim8 electric toothbrush review: Gentle giant

Samsung Galaxy Watch 8 Review: A solid albeit unexciting smartwatch

Huawei MatePad 11.5 review: iPad rival that’s missing a trick

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.fr - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.