(22) Elliot Alderson on Twitter: "<Thread> Few days ago, @Gizmodo published an awesome investigation about the Neighbors app by @ring. The article is doing an excellent job but no technical details are given. So I decided to give a look at the crime

<Thread> Few days ago,

published an awesome investigation about the Neighbors app by

. The article is doing an excellent job but no technical details are given. So I decided to give a look at the crime-alert app made by Amazon 1/

Ring’s Hidden Data Let Us Map Amazon's Sprawling Home Surveillance Network

As reporters raced this summer to bring new details of Ring’s law enforcement contracts to light, the home security company, acquired last year by Amazon for a whopping $1 billion, strove to unders...

Gizmodo @Gizmodo

Replying to

In the article,

explained that by examining the network traffic of the Neighbors app, we can get the geographic coordinates of a camera. 2/

Replying to

So I installed the app on a phone, intercepted the traffic and used all the possible features of the app 3/

Replying to

Bingo! When the app retrieves the details of an alert, the geographic details of the camera is in the response. 4/

Replying to

This is what an alert looks like in the app. The location of the camera is not given, only "X miles away". This a clear leak of personal information from

5/

Replying to

In his article

mentionned the work of Dan Calacci, a PhD student at the Massachusetts Institute of Technology’s (MIT) Media Lab. He managed to enumerate the location of all the

cameras in the US. How did he do it? 6/

Replying to

This is quite easy. In the "get alert details" request you just have to change the alert id: /api/alerts/<alert_id> 7/

Replying to

As a result, you will have the location of the

cameras who shared an alert at least once in the past. 8/

Replying to

and

In another article,

from

mentionned that some hackers are able to crack

accounts. How they are doing that? 9/

Replying to

and

Unfortunately, this is quite easy. An attacker has two choices: - use a list of already compromised combinations from other services - If you know the victim's email you can bruteforce the password. There is no rate limitation on the server side... 10/

Replying to

and

I successfully bruteforce my own account... 11/

Replying to

and

Also, there is no authentication to access the videos of alerts shared by

users. 12/

Replying to

and

No authentication to access the photos too... 13/

Replying to

and

Don't tell anyone, but if you want to have fun the api and the staging env urls are available in the app. 14/

Replying to

and

That's the end. Don't buy a product with such lousy security 15/15