Hackers Can Spy on and Hijack Amazon Doorbell's Video Feed

"Letting the babysitter in while kids are at home could be a potentially life threatening mistake."

Doorbell Hack

Security researchers have found that data streams from Amazon-Owned Ring doorbell's app can be easily compromised.

In a blog post on hardware security company Dojo's website, cybersecurity expert Or Cyngiser outlined the issue: using a specialized security assessment tool called VideoSnarf, he and a team of researchers were able to extract and inject video and audio information as it transferred from the Ring doorbell to its app.

That's a big problem: criminals could target Ring doorbells to gather sensitive information about potential targets.

"The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed," Cyngiser wrote. "It would make for a particularly easy burglary. Spying on the doorbell allows for gathering of sensitive information — household habits, names and details about family members including children, all of which make the target an easy prey for future exploitation."

Injecting Footage

The researchers even demonstrated that they could inject their own video and audio feed, Oceans 11 style, on stage at the Mobile World Congress in Barcelona.

"We developed a [proof of concept], whereby we first captured real footage in a so-called 'recon mode,'" reads the blog post. "Then, in 'active mode' we can drop genuine traffic and inject the acquired footage."

The hack was completely untraceable, the team said.

Patch Adams

It's not the first time Amazon's Ring doorbell has landed in hot water over security issues. In May 2018, The Conversation reported that Ring customers remained logged in even after changing the password to access the device.

Ring scrambled and released an over-the-air update yesterday.

"Customer trust is important to us and we take the security of our devices seriously," an Amazon spokesperson told Futurism. "The issue in the Ring app was previously fixed and we always encourage customers to update their apps and phone operating systems to the latest versions."

But users who haven't downloaded the update, according to Cyngiser, are still vulnerable.

"Letting the babysitter in while kids are at home could be a potentially life threatening mistake," Cyngiser wrote.

Editor's note: This story has been updated with a comment from an Amazon spokesperson.

READ MORE: One Ring to rule them all, and in darkness bind them [Dojo]

More on smart doorbells: Smart Doorbells That Call The Police Are Going to Endanger Some Innocent People