If you haven’t updated the Ring app for your Android smartphone recently, you should go ahead and install the latest version to prevent hackers from being able to gain access to the saved recordings from your home security cameras.
Ring Android app flaw
In a blog post (opens in new tab) detailing their findings, Checkmarx’s researchers explained that they found the Ring app for Android was exposing an ‘activity’ that could be launched by any other app installed on a user’s device. The activity in question (com.ringapp/com.ring.nh.deeplink.DeepLinkActivity), was exposed inside the app’s manifest and this allowed other installed apps to launch it. By launching the activity, Checkmarx’s researchers found that they could set up a web server to interact with it. However, only webpages on the ring.com or a2z.com domains were able to interact with it, so the researchers bypassed this restriction by finding a cross-site scripting (XSS) vulnerability. They then exploited this vulnerability to steal a Ring login cookie which allowed the researchers to use Ring’s APIs to extract personal data from customers including their full name, email and phone number as well as device data from their Ring products such as geolocation, address and saved recordings. Armed with this knowledge, an attacker could have created a malicious app and uploaded it to the Play Store or another official app store. Once a user installed this app, it would carry out the attack and send Ring customer authentication cookies back to the attacker. While this attack gave Checkmarx’s researchers access to saved Ring camera recordings, they decided to use computer vision technology to analyze all of the videos. By using machine learning, Rekognition is able to scan these saved camera recordings for celebrities, documents with certain keywords or even passwords that have been written down on post-it notes. As we mentioned earlier, Ring customers should make sure that their app is updated to the latest version which is 3.15.0 on Android and 5.51.0 on iOS. In an email to Tom’s Guide, a spokesperson from Ring provided the following statement on the matter: “We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed.”