News

Thursday, 2019-11-21 15:36

Security breach in Ring doorbells

An ideal example for device manufacturers

Cybersecurity is on everyone's lips. Every device manufacturer is aware, that sooner or later he will have to deal with this topic.
Often, however, we hear relativizing arguments: "Why encrypt a communication channel, if the transmitted data has no real value for attackers?" But almost every device communicates data whose information may be relevant for third parties. If the device has a Wifi interface, then there is usually a point when the device is configured. At this time, the WLAN key is transferred to the device - e.g. from a smartphone application or a browser. Often, this process can even be enforced afterwards by interfering the WLAN communication and forcing the unaware user to reconfigure (e.g. with a "de-auther", which is available in online shops for a few bucks). This is exactly the security breach the company Bitdefender found in a doorbell from the Amazon subsidiary "Ring"

[https://labs.bitdefender.com/2019/11/ring-video-doorbell-pro-under-the-scope].


But also devices without Wifi often have interesting information for third parties. Many users use the same passwords when setting up user accounts on devices as they do for other much more security-relevant services, such as their email account or Paypal account. If these passwords are read out due to inadequate device security, the damage can be enormous.
The above setup procedures usually takes place over local network communication. It seems surprising at first that this communication is not very easy to protect. Although many device manufacturers (as opposed to "Ring") already use TLS for encryption. However, use of TLS has risks in local networks that hardly anyone really is aware of. For example, self-signed certificates can hardly be tested in a browser. In addition, a unique identity, as it exists on the Internet through the domain name, is missing in the local network.
We are offering to explain in a personal conversation how to implement secure local communication.
Contact us for a non-binding consultation!


SEVENSTAX - Security made in Germany!