Smart Doorbell Bug Causes Massive Privacy Freakout

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,744
Earlier in the month, a Reddit user noticed some odd traffic from his Ring branded smart doorbell and intercom going to a server related to Baidu in China. When this story was picked up by IoT For All, and reported as a huge vulnerability, it understandably set off quite a bit of concern among Ring's users. Ring did an admirable job of addressing this problem. As it turns out a bug in the software was at random intervals sending tiny millisecond long snippets of audio to a Chinese server. Fixes were issued, and a third party security audit firm confirmed that it appeared to be a bug, it had been fixed, and that the millisecond snippets of audio were too small to actually be able to be used for any malicious intent. It does however highlight whether or not users have had it with IoT devices.

Is there a backlash against IoT and the cloud brewing? Personally I take the old school enterprise approach. I don't mind having "smart" devices on my network, but I don't want them communicating with the public network or any cloud. I don't mind running a home server with software to manage these devices myself, and if I want to access it from outside my home, opening my own port and forwarding it on my router, but I absolutely don't want any cloud based device in my home. I think it would be great if people stopped being lackadaisical when it comes to entrusting their data to cloud providers, but I don't believe that is going to happen anytime soon. Convenience is king, and ignorance is bliss.

Ring denies the charge that it uses any off-the-shelf systems from China, which usually indicates a lower-quality device. "We take extensive measures to build quality products that are secure," Ring CTO Roth said in his statement first posted on Reddit. Ring didn't respond to further questions about why the traffic to China was happening in the first place beyond that it was only a bug. Wikholm suspects it might have been some leftover test code from a Chinese chip vendor.

“There’s a stigma of anything going to China is bad,” Wikholm said. “But a lot of this stuff is made and maintained in China.”
 
The thought of asking people to host their own servers / open ports on their router makes me shudder. Yeah, in this community we can handle it, but asking your typical person to do so would turn into an early x-mas for every botnet in the world.

Theoretically cloud based solutions would be much more secure because people who don't know how to manage their things don't have to manage their things. But then you end up with situations like this, or the baby monitors that open themselves up to the wild. And hell, even people who should be doing security can't do security. (looking at the Ubiquiti issues that were recently posted)

We're all screwed.
 
“But a lot of this stuff is made and maintained in China.”
captain-obvious.jpg
 
The thought of asking people to host their own servers / open ports on their router makes me shudder. Yeah, in this community we can handle it, but asking your typical person to do so would turn into an early x-mas for every botnet in the world.

Theoretically cloud based solutions would be much more secure because people who don't know how to manage their things don't have to manage their things. But then you end up with situations like this, or the baby monitors that open themselves up to the wild. And hell, even people who should be doing security can't do security. (looking at the Ubiquiti issues that were recently posted)

We're all screwed.


Good points. I at least wish it could be an option to manage your own, and not be connected to some cloud service. I can always buy the enterprise alternative to the consumer IoT du jour, but that gets expensive in a hurry.
 
What would it matter even it was an intentional effort to spy on people? Smart TV's are already doing that anyway.
 
It would be pretty nice if home routers would set up a restricted subnet just for IoT devices automatically, and apply WAN security + rate limiting rules on devices in that subnet based on a community managed rule repo for major devices, in addition to client isolation from your internal network. I'm currently doing most of that manually, but it takes a separate WAP, and a carefully configured router distro, and some vlanning but it really should be something my dad can buy at Best Buy, and it would make a <SSID>-IoT network automatically, and have a separate PnP button to pair devices to it. Manufacturers can submit their device rules to the distro (and the community can pick it apart if they so choose) for whitelisting, and a compromised device can't significantly deviate from that. I happen to like IoT devices, but in most cases, they don't need more than a trickle of data, or a handful of rules.
 
  • Like
Reactions: EdZ
like this
There is no cloud. It's just someone else's computer.

Where? What type of infrastructure are they using? What type of networking equipment is it connected to? Does it matter?

That's what the cloud obscures. You're getting a service, but that stuff is hidden in a "cloud". You have your local stuff, then it goes into "the cloud" where you don't know where or what it is running on. Just that you're getting that service.

That's the cloud on a network diagram. As long as that service is working as it should, you don't care if it's AMD or Intel or on a Cisco or a Juniper switch...

I love the smart home stuff. It's fun. I would never put it in control of anything I really needed (and I always have manual control), and if I needed privacy I'd have a backup system (I have a laptop that I use for when I do need more private stuff... not porn, everyone can see that).
 
The "bug" was that they forgot to comment out the line of code that was written to call China

You misplaced those quotes. It should be "forgot".

I "forgot" to do something, too. Really, it's because I didn't want to do it.
 
Separate from recording any audio, it creates a data table of each and every time somebody uses the doorbell. Thieves just love that sort of information.
 
I hope Intel makes the wise move and departs from IOT before it becomes a shit storm that it is destined to be
 
Poorly configured and designed 'IoT' devices made by young blood 'engineers' with no understanding of existing, secure tech. Just implementing features and pushing it to market faster than ever before!
 
IOT is silly, and useless, in the short term. Investment in, I don't know, making sure that bridges don't collapse, right here in the US?

We are the only "Super-Duper" power now. Great. I know that a lot of you are Trumpsters. Wonderful. When you folks are working on the slave labor that will be "The American Wall," could you please give the states a few bucks for infrastructure? And legalize weed! Tax the hell out of it!

I'm a liberal with an open mind. Deal with it.

I know that I will be hated for this.

"And I kind of like it."
Dixie Chicks.
 
New day, check.
Another IOT security issue, check.
Situation normal.

As long as most home users have little to no perimeter security, this will keep happening.
 
Smart Doorbell bug ? WTF is a Smart Doorbell ??

is it made by the same people that made the Crockpot with built in Wi-Fi ?

(googles smart doorbell,)

LOL I wonder how many of these get stolen
" why didn't you ring my doorbell?.. what doorbell?? "

"when I was your age, we had to look through a teeny weeny window that was actually built into the door"
 
Last edited:
Smart Doorbell bug ? WTF is a Smart Doorbell ??

is it made by the same people that made the Crockpot with built in Wi-Fi ?

(googles smart doorbell,)

LOL I wonder how many of these get stolen
" why didn't you ring my doorbell?.. what doorbell?? "

"when I was your age, we had to look through a teeny weeny window that was actually built into the door"

Why do you need power steering cars? Use your arms properly! WHy do you need power windows in cars? Can turn the knob yourself?

Also, these smart doorbells are covered by the manufacturer if they get stolen.

Because it doesn't fit your need doesn't mean it isn't useful.
 
Now wait one damn minute. How does a "bug" cause a device to send snippits of audio to a server. In china. By accident.

Horseshit.

That would mean they program better by accident than on purpose.

Again, Horseshit.

Agreed. How is this a bug!!??
 
Why does doorbell even need connection to internet ? That's last thing that should be accessible from outside.
 
Now wait one damn minute. How does a "bug" cause a device to send snippits of audio to a server. In china. By accident.

Horseshit.

That would mean they program better by accident than on purpose.

Again, Horseshit.

Agreed.

Seems like there's probable cause for authorities to do some investigating. I wonder if the Ring guys have 'accidentally' been communicating with any Chinese contacts lately.
 
While I understand the issues involving security there are some risks that are worth the convenience for me. I never use the front door except for when deliveries come, and honestly, I'm much more concerned about the google Home taking random audio then I am about the doorbell audio from a dead end street or the video of my neighbor's dog shitting in the yard lol. I'm surprised no one is trying to dive into exactly how much goes through Home and Echo compared to stuff like the refrigerator or door bell. Some thief can see my lactose free milk, o no!
 
I like how he says there is a "stigma" with sending information to China......Why TF does it need to send info back to the country it was made? If its an 'American' company then they should have the server stateside not in China.....IMO China doesn't need to maintain "home visits" and usage of the product. Its a stigma for a reason.....its a foreign country looking at data in another country. Shit is crazy what people say today. I saw some FB posts on how some people think ALL police officers are all killers and are the "biggest mafia that is government backed" and people were going on and on about how they are ALL dangerous.......o_O:wideyed::banghead::jawdrop: People actually believe this crap? ALL police officers are dangerous?! Generalize much?! I'm sure ALL of the servers in China are 100% secure and the Chinese government doesn't look at the data at all......
 
Poorly configured and designed 'IoT' devices made by young blood 'engineers' with no understanding of existing, secure tech. Just implementing features and pushing it to market faster than ever before!

Don't blame the young blood engineer, he's just ignorant. Blame the company that doesn't want to pay for a seasoned knowledgeable engineer that understands secure tech.
 
Intranet of things is what I want. I very much want my devices to be able to talk to each other on their own private vlan, but I can think of few if any reasons for them to have any access to the outside world.
 
Poorly configured and designed 'IoT' devices made by young blood 'engineers' with no understanding of existing, secure tech. Just implementing features and pushing it to market faster than ever before!
Yep. What we need is some sort of voluntary certification, kind of like what Underwriters Labs does for A/C devices.
Don't blame the young blood engineer, he's just ignorant. Blame the company that doesn't want to pay for a seasoned knowledgeable engineer that understands secure tech.
Much of the time the company does not know they need experienced embedded software engineers, and their existing staff won't tell them because they think they are up to the task themselves (and don't want to be left out of the fun). So there's plenty of blame to go around.
 
Most switches auto-VLAN VoIP, propose a RFC for doing the same for IoT. Hell, it'll probably be necessary to auto-QoS the damn things too. If the fridge starts slowing down Netflix there'll be a revolution! :D
 
Intranet of things is what I want. I very much want my devices to be able to talk to each other on their own private vlan, but I can think of few if any reasons for them to have any access to the outside world.

That's more in line with what I've got at my house. I have an intranet with all kinds of connected crap. I don't allow most of it out. I have quite a few networks in my house actually. Not all are connected to the internet either, and some have more access to things than others.
 
The kids and hipsters that work at these companies don't bother properly testing and QA gear.

End of.
 
Most switches auto-VLAN VoIP, propose a RFC for doing the same for IoT. Hell, it'll probably be necessary to auto-QoS the damn things too. If the fridge starts slowing down Netflix there'll be a revolution! :D

I'm really annoyed with the amount of 'mystery' traffic coming from devices on my home network. Even the 'smart' TV. I put a bunch of firewall rules to block everything except a few devices, but then you run into other weird problems. e.g. someone's android phone complains and prevents certain seemingly unrelated services from working properly.
 
I'm really annoyed with the amount of 'mystery' traffic coming from devices on my home network. Even the 'smart' TV. I put a bunch of firewall rules to block everything except a few devices, but then you run into other weird problems. e.g. someone's android phone complains and prevents certain seemingly unrelated services from working properly.

I just keep my "smart TV" unplugged from the network. I don't use any of its "smart" features anyway.
 
While I understand the issues involving security there are some risks that are worth the convenience for me. I never use the front door except for when deliveries come, and honestly, I'm much more concerned about the google Home taking random audio then I am about the doorbell audio from a dead end street or the video of my neighbor's dog shitting in the yard lol. I'm surprised no one is trying to dive into exactly how much goes through Home and Echo compared to stuff like the refrigerator or door bell. Some thief can see my lactose free milk, o no!

The only sounds it's going to pick up are my gardeners who come over every tuesday. I don't mind.
 
Back
Top