Blog

Amazon Quickly Fixed a Vulnerability in Ring Android App That Could Expose Users’ Camera Recordings

4 min.

August 18, 2022

Intro

Researchers at Checkmarx found that the Ring Android app could have allowed a malicious application installed on the user’s phone to expose their personal data, geolocation, and camera recordings.

Ring by Amazon operates in the home security space and manufactures products that include outdoor and indoor surveillance cameras. Their Android application has been downloaded over 10 million times.

Proof of Concept Video:

To view this video on YouTube, please go here.

Technical Details

The vulnerability was found in the com.ringapp/com.ring.nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, as such, was accessible to other applications on the same device. These other applications could be malicious applications that users could be convinced to install.

This activity would accept, load, and execute web content from any server, as long as the Intent’s destination URI contained the string “/better-neighborhoods/”.

We could use adb to replicate a valid Intent:

The attacker-controlled web page could then interact with the WebView’s JavaScript interfaces, as long as it was served from a “ring.com” or “a2z.com” subdomain.

The team at Checkmarx was able to find a Reflected Cross-Site Scripting (XSS) vulnerability in  cyberchef.schlarpc.people.a2z.com, which allowed them to complete this attack chain.

Knowing of this vulnerability, an attacker could trick victims into installing a malicious application that triggered the following Intent to complete the attack:

This payload redirects the WebView to the malicious web page, which can access the __NATIVE__BRIDGE__.getToken() JavaScript Interface that grants access to an Authorization Token, which can then be exfiltrated to an attacker-controlled server.

This token is a Java Web Token (JWT), which is insufficient to authorize calls to Ring’s multiple APIs. Authorization is enforced using an rs_session cookie.

However, this cookie can be obtained by calling the https://ring.com/mobile/authorize endpoint with both a valid Authorization Token plus the corresponding device’s Hardware ID.

 

Luckily for our researchers, this Hardware ID was encoded into the token.

With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings.

More specifically, the following APIs were used:

  • https://acount.ring.com/account/control-center – used to obtain the victim’s
    personal data and device ID
  • https://account.ring.com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – used to obtain the device data and recordings

Let’s Scale the Attack

Looking at a vulnerability, with the potential of getting an attacker more videos than they can investigate, the researchers decided to take it one step further by using a computer vision technology that is capable of video analysis. We could have used Google Vision, Azure Computer Vision, or any other service, but we decided to go with the excellent Amazon Rekognition service. Rekognition can be used to automate the analysis of these recordings and extract information that could be useful for malicious actors.Rekognition can scan an unlimited number of videos and detect objects, text, faces, and public figures, among other things.

To further demonstrate the impact of this vulnerability, the researchers showed how this service could be used to read sensitive information from computer screens and documents visible to the Ring cameras and to track people’s movements in and out of a room.

Timeline

  • 1-May-2022     Full findings reported to the Amazon Vulnerability Research Program
  • 1-May-2022     Amazon confirmed receiving the report
  • 27-May-2022   Amazon released a fix to customers in version .51 (3.51.0 Android , 5.51.0 iOS).

Amazon’s Response

Amazon considered this a high-severity issue and released a fix for it soon after it was reported:

“We issued a fix for supported Android customers on May 27, 2022, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute.”

Epilogue

It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process. For this reason, and a great researcher experience, we’re granting Amazon’s Security Team the Checkmarx Seal of Approval. 

And, as always, our security research team will continue to focus on ways to improve application security practices everywhere.