Amazon quietly fixes Ring Android app bug that exposed camera data and recordings
Amazon fixed a vulnerability in May that exposed Ring app users’ camera data and recordings on Android devices.
The bug was reported to the Amazon Vulnerability Research program – Ring was purchased by Amazon in 2018 – by researchers at cybersecurity firm Checkmarx on May 1.
Amazon released a fix for the issue on May 27 in the version .51 update (3.51.0 Android, 5.51.0 iOS). The Android Ring app has been downloaded over 10 million times, allowing users to access video feeds from their cameras through the app.
An Amazon spokesperson said no customer information was exposed and confirmed a fix was released in May for the issue.
In comments to Checkmarx, the company said the glitch “would be extremely difficult for anyone to exploit, as executing it requires an unlikely and complex set of circumstances.”
Erez Yalon, vice president of security research at Checkmarx, told The Record that it was difficult to estimate the extent of the vulnerability because it required researchers to string together multiple vulnerabilities in the Ring Android app and Amazon’s website.
“Each would be problematic, but stringing them together, which is what hackers always try to do, made it so impactful.”
When exploited, the vulnerabilities found by Checkmarx “could have allowed a malicious application installed on the user’s phone to steal their personal data, geolocation and camera recordings”.
In a report released Thursday, the researchers showed how, in a series of steps, they were able to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number. phone, and data from their Ring device, including geolocation, address, and records.
The researchers went further, explaining how someone could use Amazon’s Rekognition facial recognition tool to “automate the analysis of these recordings and extract information that could be useful to malicious actors.”
“To further demonstrate the impact of this vulnerability, researchers demonstrated how this service could be used to read sensitive information from computer screens and documents visible to Ring cameras and to track the movement of people entering and leaving. of a piece,” the researchers said.
“Due to the vulnerability’s high potential impact and high likelihood of success in real-world attack scenarios, Amazon has deemed this to be a very serious issue and released a fix shortly. after it was reported.”