Mozilla Publishes Ring Doorbell Vulnerability Following Amazon’s Apathy

Mozilla disclosure comes mere days after Ring reaches $5.8 million settlement with the FTC for other privacy issues

(SAN FRANCISCO, CA | TUESDAY, JUNE 6, 2023) -- Today, Mozilla is publicizing a security vulnerability in Amazon’s Ring Wireless Video Doorbell. Mozilla shared the vulnerability with Amazon over 90 days ago, but Amazon has yet to address the issue. Now, per industry standards, Mozilla is sharing its findings publicly to alert Ring Doorbell users and to further pressure Amazon to take action.

Following a penetration test of the Ring Doorbell conducted in October-November 2022, Mozilla and collaborator Cure53 determined that the device is vulnerable to Wi-Fi deauthentication attacks. Bad actors can leverage these weaknesses to disconnect the device from the internet using easily-accessible tools.

As a result, those bad actors could take the doorbell offline and then have their activities go unrecorded — undermining the product’s core purpose. Even after the doorbell is reconnected to the internet, a user will receive no alert about the attack.

Mozilla’s disclosure comes just days after Ring’s $5.8 million settlement with the Federal Trade Commission (FTC) over other serious privacy and security issues. The FTC found that “Ring’s poor privacy and lax security let employees spy on customers through their cameras, including those in their bedrooms or bathrooms, and made customers' videos, including videos of kids, vulnerable to online attackers.”

Says Ashley Boyd, VP of Global Advocacy at Mozilla: “More than 10 million Americans have a Ring Doorbell. That prevalence comes with real responsibility — like ensuring strong security and swiftly addressing any vulnerabilities. We’re concerned that Amazon hasn’t taken action based on our research findings using industry-standard methods. And as always, we encourage consumers to prioritize privacy and security when shopping for connected products.”

Says Misha Rykov, Research Associate at Mozilla: “Mozilla shared Ring’s vulnerability — and its solutions — with Amazon, but they haven’t taken any steps to fix it. That’s why Mozilla is speaking up. Consumers deserve to know about vulnerabilities in the products they use, especially ones that are meant to protect their homes.”

To conduct the penetration test, Mozilla and Cure53 solely relied on publicly-available online material and on the product itself. We also carried out a battery of other tests on areas like encryption, security updates, and passwords. While we found no high-impact vulnerabilities beyond this one, Mozilla has long been a critic of Ring Doorbell’s privacy practices, collaborations with law enforcement, and harmful impact on communities that are already heavily surveilled.

In addition to identifying this vulnerability, Mozilla and Cure53 have also shared suggested fixes with Amazon. These entail:

• Improving the security of the device by negating the potential for Wi-Fi deauth attacks. Specifically, this can be accomplished by supporting Wi-Fi standards such as 802.11w and WPA334. (This mitigation will only be achieved if both the device and access point (AP) support these standards.)
• Alternatively, the device should integrate a fallback mechanism. In this regard, an effective solution would be to ignore deauth frames when the frequency appears unusual.
• Lastly, the device could store the date and time of offline alerts, then notify the user concerning these when the device is back online.

The penetration test was part of Mozilla’s *Privacy Not Included initiative, a buyer’s guide that helps consumers shop smart — and safe — for products that connect to the internet. Over the past six years, *Privacy Not Included has reviewed more than 100 apps and 300 internet-connected devices.

Press contact:

Kevin Zawacki | [email protected] | +1 (914) 837-4333