Security News > 2022 > August > Vulnerability in Amazon Ring app allowed access to private camera recordings

A vulnerability in the Android version of the Ring app, which is used to remotely manage Amazon Ring outdoor and indoor surveillance cameras, could have been exploited by attackers to extract users' personal data and device's data, including geolocation, address, and recordings.

The vulnerability was discovered by Checkmarx researchers, who went one step further and demonstrated how an attacker could later analyze huge numbers of recordings with the help of computer vision technology, to extract additional sensitive information and material.

The specific bug and exploitation details can be found here but, in short: if attackers had managed to trick RIng users into downloading a specially crafted malicious app, the app could have exploited the vulnerability to grab the authentication token and hardware ID that would have allowed attackers to access the customer's Ring account through multiple Ring APIs.

This would have allowed them to exfiltrate the victims' personal and Ring device data stored in the cloud.

That's not all: the vulnerability could have allowed attackers to harvest millions of recordings from a great number of users and, with the help of machine learning technology, automate the discovery of sensitive information or materials.

The good news is that the researchers have privately reported the vulnerability to the Amazon Ring development team, and they fixed it in version.

News URL

https://www.helpnetsecurity.com/2022/08/18/vulnerability-amazon-ring-app/