Amazon has posted an update for its Ring for Android app due to a vulnerability discovered by the Checkmarx company, which specializes in application code scanning. The vulnerability was exploiting an exposed deeplink/intent within the Ring application, allowing a bad actor to access recordings.
More details can be found on the Checkmarx website.
Looking at a vulnerability, with the potential of getting an attacker more videos than they can investigate, the researchers decided to take it one step further by using a computer vision technology that is capable of video analysis. We could have used Google Vision, Azure Computer Vision, or any other service, but we decided to go with the excellent Amazon Rekognition service. Rekognition can be used to automate the analysis of these recordings and extract information that could be useful for malicious actors.Rekognition can scan an unlimited number of videos and detect objects, text, faces, and public figures, among other things.
To further demonstrate the impact of this vulnerability, the researchers showed how this service could be used to read sensitive information from computer screens and documents visible to the Ring cameras and to track people’s movements in and out of a room.
More details can be found on the Checkmarx website.