Video doorbells may be cutting down on the amount of time you have to spend running to and from your front door, but they could also be cutting down on the amount of privacy you have in your home. As per a new report from The Information, a major security flaw in popular video doorbells from Ring, the company recently acquired by Amazon for $1 billion, does not require users to re-log into the doorbell app when a password has been changed.
That means that if you’d previously granted access to your Ring doorbell app to say, a significant other, but then wanted to revoke that access after your relationship went sour, he or she would still actually be able to monitor the activity taking place outside your front door. Worse yet, it didn’t matter how much time passed — the app never asked users to sign in again after a password change.
While Ring was notified of the issue beginning in January and claimed to have removed users who were no longer authorized, The Information tested this vulnerability and found that for “several hours,” users were still able to access the app after a password change. Ring’s CEO Jamie Siminoff has even acknowledged the ongoing issue, as kicking users off the platform apparently slows down the Ring app. That said, this window of time presents a serious problem — not only could someone be watching your front door, but he or she could also download videos, or otherwise control the doorbell as an administrator.
This doesn’t bode particularly well for Amazon, which was planning to use Ring video doorbells as part of a secure solution for delivery programs like Amazon Key, which allows delivery personnel to drop off packages directly into someone’s home. But if Ring doorbells can’t even protect against an ex-boyfriend, it will be difficult for Amazon to convince customers that they’ll protect against other ill-intentioned actors.
Ring has since issued a statement with regard to the security exploit, noting that further security measures are on their way. In the meantime, you should do what you can to avoid giving unnecessary actors access to your doorbell.
“Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security,” the company said. “We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s ‘Shared Users’ feature. This way, owners maintain control over who has access to their devices and can immediately remove users. Our team is taking additional steps to further improve the password change experience.”
Updated on May 13: Added statement from Ring.