A recently patched vulnerability in the Ring Doorbell could have let hackers feed fake images into the video feed, or eavesdrop on video and audio as it is broadcast. The Amazon-owned company has patched the vulnerability in the latest version of its app, but users running older versions of the Ring app could still be at risk.

Researchers at Dojo by BullGuard published the details of the vulnerability in a report today. The report found that, using the right techniques, anyone who has access to incoming data packets could have listened in on the live feed, which was not robustly encrypted. A hacker with access to the user’s Wi-Fi could have even injected data into the feed before it reached the app. In one particularly devious attack, that injection method could be used to send doctored images to a homeowner to convince them to unlock the door. Ring responded, “Customer trust is important to us and we take the security of our devices seriously. The issue in the Ring app was previously fixed and we always encourage customers to update their apps and phone operating systems to the latest versions.”

Ring isn’t transparent about what security measures it takes to protect user data

This is far from the first time security experts have found vulnerabilities in Ring devices. Earlier this year, reports appeared that Ring allowed its employees to watch customers’ videos. Ring denied the reports, saying:

We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.

Ring doesn’t display information on its site about whether it encrypts video footage or employs other security measures to protect user data.

In May last year, The Information reported that Ring allowed password changes and never signed you out after you logged in once. Ring clarified that it has since fixed this and now logs you out after a password change. In March 2017, some users found their Ring doorbells were sending data to a Chinese server run by search engine titan Baidu. There was little explanation for why, besides that it was a bug. Ring told The Verge earlier this month, “This was not a cause for concern, however, Ring updates its devices’ firmware regularly.”

Update February 28th, 6:24PM ET: This article has been updated with comments from Ring.