Tag: Ring | Page 3

Ring Cameras Hacked in ‘Swatting’ Scheme

December 20, 2022/in Computer Security

The Department of Justice said on Monday that two men have been charged in a scheme that involved hacking Ring security cameras outside homes, drawing and sometimes taunting police, and then broadcasting the antics on social media.

Amazon bought security company Ring in 2018, and the product quickly became one of the company’s “signature” security products for the home, per The Guardian. Ring offers products like doorbells, security cameras and home security systems, with relevant data and controls accessible through the company’s app.

Critics and researchers say the Ring cameras are used to surveil gig economy drivers and delivery people and that they give law enforcement too much power to survey everyday life.

It’s unclear what the men’s motivation was. The two charged are Kya Christian Nelson, who is 21, from Racine, Wisconsin and “currently incarcerated in Kentucky in an unrelated case,” per the DOJ, and James Thomas Andrew McCarty, who is 20 and from Charlotte, North Carolina.

In this case, the two men used the Ring cameras to do something known as “swatting,” where one pretends there is an emergency to draw a large group of police or other first responders.

The pair would hack people’s Yahoo email accounts, then their Ring accounts, find their addresses, call law enforcement to the home with a bogus story, and then stream police’s response to the call. Often, they would harass the first responders at the same time using Ring device capabilities.

For example, “A hoax telephone call was placed to the West Covina [California] Police Department purporting to originate from the victim’s residence and posing as a minor child reporting her parents drinking and shooting guns inside the residence of the victim’s parents,” the Justice Department wrote.

The pair conducted this scheme a dozen times across the country in a one-week span, the department noted. The two men were indicted by a grand jury. Nelson faces two counts of accessing a computer without…

Source…

An Alleged Russian Smuggling Ring Was Uncovered in New Hampshire

December 17, 2022/in Computer Security

As Russia’s invasion of Ukraine drags on, navigation system monitors reported this week that they’ve detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia’s civil war.

New evidence suggests that attackers planted data to frame an Indian priest who died in police custody—and that the hackers may have collaborated with law enforcement as he was investigated. The Russia-based ransomware gang Cuba abused legitimate Microsoft certificates to sign some of their malware, a method of falsely legitimatizing hacking tools that cybercriminals have particularly been relying on lately. And with the one-year anniversary of the Log4Shell vulnerability, researchers and security professionals reflected on the current state of open source supply-chain security, and what must be done to improve patch adoption.

We also explored the confluence of factors and circumstances leading to radicalization and extremism in the United States. And Meta gave WIRED some insight into the difficulty of enabling users to recover their accounts when they get locked out—without allowing attackers to exploit those same mechanisms for account takeovers.

But wait, there’s more! Each week, we highlight the security news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories.

Alexey Brayman, 35, was one of seven people named in a 16-count federal indictment this week in which they were accused of operating an international smuggling ring over the past five years, illegally exported restricted technology to Russia. Brayman was taken into custody on Tuesday and later released on a $150,000 bond, after being ordered to forfeit his passport and abide by a curfew. He is an Israeli citizen who was born in Ukraine. Brayman and his wife, Daria, live in Merrimack, New Hampshire, a small town where the two ran an online craft business out of their home. “They are the nicest family,” a delivery driver who regularly drops off packages at their home told The Boston Globe. “They’ll leave…

Source…

Ring fixed a security flaw in its Android app that could have leaked video footage

August 21, 2022/in Mobile Security

What you need to know

Amazon has patched a security vulnerability in Ring’s Android app.
The security flaw could have allowed bad actors to access users’ video footage by installing a malicious app on the same device.
Amazon said that it had found no evidence of the vulnerability being exploited in the wild.

Amazon’s Ring doorbell cameras aren’t exactly the most secure home devices available, and a new report may provide further evidence to support this claim.

Security researchers at Checkmarx discovered a vulnerability (opens in new tab) in Ring’s companion app for Android phones after analyzing it. The software security firm found several bugs in the app that, when stitched together, could grant other apps on the same device access to it. In the worst-case scenario, these could be malicious applications that trick users into installing them.

In turn, it could have allowed bad actors to gain access to users’ video footage stored in a Ring video doorbell, according to Checkmarx. Furthermore, user data including full name, email address, phone number, and geolocation could have been exposed. The app containing the vulnerability has more than 10 million downloads.

However, Amazon told the security vendor that the vulnerability “would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute.”

Amazon said that it had rolled out a fix for the issue on May 27 after Checkmarx reported the security flaw. Fortunately, the company found no evidence of customer data being exposed to malicious actors.

The latest vulnerability is the latest incident in which Ring figured in a security issue. In 2020, it was found that Amazon employees were allowed to view video footage, with access levels that went beyond what their job required. In July, the company also admitted to releasing 11 clips to law enforcement without user consent this year.

Source…

Ring security flaw could have allowed hackers to spy on your saved videos — what to do

August 18, 2022/in Computer Security

A high-severity vulnerability in Amazon’s Ring app for Android which could have allowed hackers to spy on users’ saved camera recordings has been discovered and quickly patched by the video doorbell giant.

As reported by BleepingComputer (opens in new tab), the vulnerability was found by security researchers at the application security testing company Checkmarx who quickly shared their findings with Amazon.

As the Ring app for Android has been downloaded more than 10 million times and is used by people around the world, this flaw is particularly concerning which is why Amazon released a fix within the same month it was discovered.

If you haven’t updated the Ring app for your Android smartphone recently, you should go ahead and install the latest version to prevent hackers from being able to gain access to the saved recordings from your home security cameras.

Ring Android app flaw

In a blog post (opens in new tab) detailing their findings, Checkmarx’s researchers explained that they found the Ring app for Android was exposing an ‘activity’ that could be launched by any other app installed on a user’s device.

The activity in question (com.ringapp/com.ring.nh.deeplink.DeepLinkActivity), was exposed inside the app’s manifest and this allowed other installed apps to launch it. By launching the activity, Checkmarx’s researchers found that they could set up a web server to interact with it. However, only webpages on the ring.com or a2z.com domains were able to interact with it, so the researchers bypassed this restriction by finding a cross-site scripting (XSS) vulnerability.

They then exploited this vulnerability to steal a Ring login cookie which allowed the researchers to use Ring’s APIs to extract personal data from customers including their full name, email and phone number as well as device data from their Ring products such as geolocation, address and saved recordings.

Armed with this knowledge, an attacker could have created a malicious app and uploaded it to the Play Store or another official app store. Once a user installed this app, it would carry out the attack and send Ring customer authentication cookies back to the attacker.

Using Amazon Rekognition for…

Source…

Tag Archive for: Ring

What you need to know