Amazon quietly fixes Ring Android app bug that exposed data, camera recordings

Amazon resolved a vulnerability in May that exposed the data and camera recordings of Ring app users on Android devices. 

The bug was reported to the Amazon Vulnerability Research Program — Ring was purchased by Amazon in 2018 — by researchers with cybersecurity firm Checkmarx on May 1.

Amazon released a fix for the issue on May 27 within the version .51 (3.51.0 Android , 5.51.0 iOS) update. The Android Ring app has been downloaded more than 10 million times, giving users access to video streams from their cameras through the app. 

An Amazon spokesperson said no customer information was exposed and confirmed that a fix was released in May for the issue. 

In comments to Checkmarx, the company said the issue “would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute.”

Erez Yalon, vice president of security research at Checkmarx, told The Record that it was difficult to estimate how widespread the vulnerability is because it required the researchers to chain together several vulnerabilities in the Ring Android app and Amazon website.

“Each would be problematic, but chaining them together, something hackers always try to do, made it so impactful. "

When exploited, the vulnerabilities Checkmarx found “could have allowed a malicious application installed on the user’s phone to steal their personal data, geolocation, and camera recordings.”

In a report released on Thursday, the researchers showed how in a series of steps, they were able to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings. 

The researchers went a step further, explaining how someone could use Amazon’s Rekognition facial recognition tool to “automate the analysis of these recordings and extract information that could be useful for malicious actors.”

“To further demonstrate the impact of this vulnerability, the researchers showed how this service could be used to read sensitive information from computer screens and documents visible to the Ring cameras and to track people’s movements in and out of a room,” the researchers said. 

“Due to the high potential impact of the vulnerability and the high likelihood of success in real attack scenarios, Amazon considered this a high-severity issue and released a fix for it soon after it was reported.”