The revolution that we call the Internet of Things is ongoing, and it's gaining momentum. Just about anything can connect with your home network these days, from light bulbs to shirts to garage doors. Security often gets short shrift in the design of these devices, especially the least expensive ones. If securing a smart lightbulb makes it cost 50 cents more than the competition, the competition's going to win the business.

However, some IoT devices really ought to have extra security. Sure, you find it convenient to open your garage door with a smartphone app, but you wouldn't be pleased to learn that car thieves can also open it. And while your smart doorbell lets you see who's on your porch and answer the door remotely, it really shouldn't let anybody else have that view. With that thought in mind, PCMag contacted the research team at Bitdefender and asked them to have a look at several popular devices, including the Ring Video Doorbell Pro. Note that we'll report on any additional vulnerabilities if and when Bitdefender reports them.

Defenders of Things

The developers at Bitdefender have had their eyes on the Internet of Things for quite some time. Five years ago they came up with the Bitdefender Box, a network security hub that aimed to secure every computer, smartphone, tablet, and IoT device on your home network. The designers reasoned that if the IoT device companies weren't going to bake security into their devices, Bitdefender would impose security from the outside.

Not everyone is willing to fiddle with an external security box, but everyone needs a home router. More recently, Bitdefender partnered with Netgear to built the technology from Bitdefender Box into routers such as the Netgear Nighthawk AC2300, where it goes by the name Netgear Armor.

This background is significant, because Bitdefender's developers and researchers have had to spend a lot of time analyzing the security of IoT devices, to verify that their technology prevents exploitation of any security holes. Who better to check the security of a well-known and much-used device?

No Keyboard? No Problem!

Getting your new laptop or tablet connected to the home Wi-Fi network is a snap. Just choose the right network name and type in the passcode. On a device like a smart TV it can be a little more awkward, but after a while you get pretty good at picking letters on the screen using a remote. But how do you set up a Wi-Fi connection for a device that doesn't have a screen, a keyboard, or any physical user interface at all?

One popular technique involves a kind of reverse Wi-Fi handshake. You press a special button to put the device into its get-connected mode. With many devices, including Ring's collection of IoT doorbells, you connect your smartphone to the Wi-Fi signal it broadcasts, and then enter the credentials for your home Wi-Fi network. The device connects to the network and stops broadcasting. And just like that, it's connected to the network. Keep this in mind, as we'll come back to it.

First, the Good News

The Bitdefender team first analyzed all the ways the Ring Doorbell interacts with other devices. It doesn't touch anything on your local network, just uses it to get to the internet, which is good. When it does connect to the internet, it uses a secure HTTPS connection, which is also good.

Interaction between the smartphone app and the doorbell itself goes through the secure online connection, even when both devices are on the home network. The team confirmed that nobody but the authorized owner can access and control the doorbell. The security profile is practically perfect in every way, like Mary Poppins. Except for one thing…

Breaking Into the Ring

Remember that interaction we described, the way the device initially gets connected to your Wi-Fi network? While it's broadcasting its own Wi-Fi signal, it's unprotected. That signal has no encryption, and anyone who happened to be nearby with the right hardware could capture all its traffic, including your Wi-Fi password.

You could argue that it's extraordinarily unlikely a bad actor would be in the right place at the right time with the right equipment to capture that signal. That's true, if you only consider the initial setup, but the researchers found a way around that limitation.

An attacker would first have to make the existing connection fail. The team found they could do so by pounding the network with an instruction to de-authorize the doorbell as a member of the network. We checked with Jay Balan, Bitdefender's device breaker par excellence, and he confirmed that the attacker could send this instruction without knowing the Wi-Fi password for your local network.

With enough figurative pounding, the device eventually shows up as offline. The doorbell still rings; it just doesn't send a notification. Thus, it may take a while for the owner to notice. Eventually the owner must go through the setup process again. This time, the attacker is ready to capture the credentials. Now the attacker has full access to your network. Balan pointed out that a smart attacker will spoof the MAC address of an existing device, so you'll never know they're there.

If you think this attack sounds slow and arduous, you're right. It's the opposite of spamming out phishing emails and waiting for fools to take the bait. The attacker needs a place to hang out within range of your Wi-Fi, without arousing suspicion. Just parking a sinister black van in front of your house isn't going to look pretty sketchy, as the attack could take hours, or days. The most likely target for such an attack is a government functionary, or a corporate higher-up. Getting into such a luminary's home Wi-Fi could yield access all kinds of secrets.

Want to know more about the details of just what Bitdefender's researchers learned, and how they broke into the device's security? Check out this blog post. If you're ready for the full technical details, you may also want to peruse Bitdefender's whitepaper on the subject.

What's the Solution?

Bitdefender notified Ring's technical team about this vulnerability in June. As is standard in responsible disclosure, they gave Ring a deadline to fix the problem, after which they'd publish, fix or no. As of this writing, Ring has pushed out a fix to all Ring Video Doorbell Pro devices. A Ring spokesperson told us, "Customer trust is important to us and we take the security of our devices seriously. We rolled out an automatic security update addressing the issue, and it's since been patched."

Now, when the Ring device broadcasts a Wi-Fi signal for your phone to grab, it uses an HTTPS connection. Rather than require the user to authenticate using a password, it secures the connection using a digital certificate, signed by the company and validated by the app. Why didn't they do that in the first place? They probably thought, as we once did, that the risk of someone sniffing that connection at just the right moment is negligible.

We really, really hope that this news means Ring has fixed any problems that might exist in the Ring Video Doorbell 2 and the entire video doorbell product line. However, Bitdefender's team states very clearly that they only examined the Ring Video Doorbell Pro, and only verified that the problem is solved for that device. The fact the Ring fixed this somewhat obscure hole so quickly gives us hope. After all, any company might offer a product that has a vulnerability. A company's response to such challenges makes all the difference.

Further Reading

Home Security Camera Reviews