The Ring WiFi doorbell, an IoT device, not only allows users to view whomever is on their doorstep via the internet from a mobile device when they are not home, but also gives away the homeowners wi-fi password.
Pen Test Partners discovered the vulnerability in Ring that reveals the wi-fi password of the homeowner. The doorbell can be easily detached from the wall outside of a home. An orange button on the back of the bell will set the wireless component to AP (Access Point) mode when pressed.
Once in AP mode, hackers can use their mobile device to connect to the server through a specific URL to gain access to the homeowner's wireless network. The URL will then reveal the wireless module's configuration file in the browser that contains the home wi-fi network SSID and password.
Then all the hacker has to do is put the doorbell back on the outside of the house and go away. Hackers can then initiate other exploits against the victim with access to their network.
Pen Test Partners said that Ring released a firmware update two weeks after they were privately advised of the flaw.
This article originally appeared at scmagazineus.com