(22) Elliot Alderson on Twitter: "<Thread> Few days ago, @Gizmodo published an awesome investigation about the Neighbors app by @ring. The article is doing an excellent job but no technical details are given. So I decided to give a look at the crime

Log in Sign up
Elliot Alderson @ fs0c131y

<Thread> Few days ago,

@Gizmodo

published an awesome investigation about the Neighbors app by

@ring

. The article is doing an excellent job but no technical details are given. So I decided to give a look at the crime-alert app made by Amazon 1/

gizmodo.com/ring-s-hidden-… 5:02 AM - 20 Dec 2019
Ring’s Hidden Data Let Us Map Amazon's Sprawling Home Surveillance Network
As reporters raced this summer to bring new details of Ring’s law enforcement contracts to light, the home security company, acquired last year by Amazon for a whopping $1 billion, strove to unders...
Gizmodo @Gizmodo
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring @dellcam

In the article,

@dellcam

explained that by examining the network traffic of the Neighbors app, we can get the geographic coordinates of a camera. 2/

pic.twitter.com/2RQvgQ8550
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring @dellcam

So I installed the app on a phone, intercepted the traffic and used all the possible features of the app 3/

play.google.com/store/apps/det…
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring @dellcam

Bingo! When the app retrieves the details of an alert, the geographic details of the camera is in the response. 4/

pic.twitter.com/nkBKxDmOqm
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring @dellcam

This is what an alert looks like in the app. The location of the camera is not given, only "X miles away". This a clear leak of personal information from

@ring

5/

pic.twitter.com/EaNYyFOwHD
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring @dellcam

In his article

@Gizmodo

mentionned the work of Dan Calacci, a PhD student at the Massachusetts Institute of Technology’s (MIT) Media Lab. He managed to enumerate the location of all the

@ring

cameras in the US. How did he do it? 6/

pic.twitter.com/xBB5EXAJ2O
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring @dellcam

This is quite easy. In the "get alert details" request you just have to change the alert id: /api/alerts/<alert_id> 7/

twitter.com/fs0c131y/statu…
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring @dellcam

As a result, you will have the location of the

@ring

cameras who shared an alert at least once in the past. 8/

View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring

and

3 others

In another article,

@josephfcox

from

@VICE

mentionned that some hackers are able to crack

@ring

accounts. How they are doing that? 9/

vice.com/en_us/article/…
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring

and

3 others

Unfortunately, this is quite easy. An attacker has two choices: - use a list of already compromised combinations from other services - If you know the victim's email you can bruteforce the password. There is no rate limitation on the server side... 10/

pic.twitter.com/Pp4TzIcF5E
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring

and

3 others

I successfully bruteforce my own account... 11/

pic.twitter.com/rUY28G5PgW
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring

and

3 others

Also, there is no authentication to access the videos of alerts shared by

@ring

users. 12/

nhshare.ring.com/17148411/00059…
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring

and

3 others

No authentication to access the photos too... 13/

nhshare.ring.com/7707699/000581…
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring

and

3 others

Don't tell anyone, but if you want to have fun the api and the staging env urls are available in the app. 14/

pic.twitter.com/jBf6I36U1V
View conversation ·
Elliot Alderson

@ fs0c131y

Dec 20

Replying to

@Gizmodo @ring

and

3 others

That's the end. Don't buy a product with such lousy security 15/15

pic.twitter.com/F4bWdBZCvS
View conversation ·

Enter a topic, @name, or fullname

Settings Help
Back to top

·

Turn images off
https://mobile.twitter.com/fs0c131y/status/1208009855149248512