Amazon fixed a vulnerability in May that exposed Ring app users’ data and camera recordings on Android devices.
The flaw was reported to the Amazon Vulnerability Research Program — Ring was purchased by Amazon in 2018 — by researchers at cybersecurity firm Checkmarx on May 1.
Amazon released a fix for the issue on May 27th as part of the version .51 (3.51.0 Android, 5.51.0 iOS) update. The Android Ring app has been downloaded more than 10 million times and allows users to access video streams from their cameras through the app.
An Amazon spokesman said no customer information was disclosed and confirmed a fix to the issue was released in May.
In comments to Checkmarx, the company said the issue “would be extremely difficult for anyone to exploit given the unlikely and complex set of circumstances it takes to execute.”
Erez Yalon, vice president of security research at Checkmarx, told The Record that it’s difficult to gauge how widespread the vulnerability is because the researchers had to chain together multiple vulnerabilities in the Ring Android app and the Amazon website.
“Anyone would be problematic, but chaining them together, which is what hackers always try, is what makes it so powerful.” “
Exploiting the vulnerabilities found by Checkmarx “could allow a malicious application installed on the user’s phone to steal their personal information, geolocation, and camera recordings.”
In a report published Thursday, the researchers showed how, in a series of steps, they could use Ring’s APIs to collect the customer’s personal information, including their full name, email address, and phone number, as well as their phone number Ring device, including geolocation. address and records.
The researchers went a step further, explaining how someone could use Amazon’s facial recognition tool Rekognition to “automate the analysis of these recordings and extract information that could be useful to malicious actors.”
“To further demonstrate the impact of this vulnerability, researchers demonstrated how this service can be used to read sensitive information from computer screens and documents visible to the ring cameras, and to track people’s movements in and out of a room track,” the researchers said.
“Due to the high potential impact of the vulnerability and the high probability of success in real-world attack scenarios, Amazon considered this a High Severity issue and released a fix for it shortly after it was reported.”