Ring Doorbell Doesn’t Keep You Safe After Password Change

It’s one thing when a vulnerability is discovered and show that your device isn’t as safe as you thought it was. But when that vulnerability is found in your video doorbell, that can be quite alarming. It’s been discovered that after you change your password on the Ring doorbell, anyone who has your prior password can still gain entry.

Assumably, this is a problem Amazon wasn’t looking for when they recently acquired the Ring company for $1 billion. In this major security flaw that was discovered, once a user changes the password, the Ring doorbell doesn’t require them to log back in.

It defeats your reason for wanting to change your password to begin with. Someone had your password, or you suspected they did, so you changed it. This could have been because someone stole your password or because you gave it to someone and then later fell out of favor with them. But you don’t still want them to have access to knowing who’s coming and going from your house, so you change the password.

news-ring-doorbell-password-lock

Ring was notified of this vulnerability in January, and they claimed they removed all the users who were no longer authorized. But the website “The Information” tested it and found that for “several hours” former users were still able to access the app after the password was changed.

Jamie Siminoff, Ring’s CEO, acknowledged the vulnerability, noting that eliminating access to a prior user slows the Ring app. In that window of time while the prior password is still usable, that person with the old password can watch your door or download videos. Basically, they can control your Ring doorbell as if they were an active administrator.

The Ring doorbell wasn’t just being used to keep people out. They are also being used for Amazon deliveries with the Amazon Key program. This allows Amazon to make deliveries inside your home if you’re out. They access your home, leave the package, and exit, and you can watch them inside your house with the Ring. But this vulnerability makes it hard to trust it.

Ring issued a statement explaining that they will be making further security measures, and in the meantime they suggest you avoid giving unnecessary people access to your doorbell, but you can give your code to just one person, the person you share your home with, and if something happens to that relationship, and they move out, you’re now vulnerable.

news-ring-doorbell-password-safe

Ring values the trust our neighbors place in us, and we are committed to the highest level of customer information and data security,” the company said in the statement.

We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s ‘Shared Users’ feature. This way, owners maintain control over who has access to their devices and can immediately remove users. Our team is taking additional steps to further improve the password change experience.

This goes beyond the Ring doorbell, though. This should make us question everything. If a device designed to keep us safe is shown to not be as safe as it was said to be, even when it is connected with a big company like Amazon, there can still be issues. It makes it hard to trust anything.

Does this change your thinking regarding how you use your devices and who you share your passwords with? Do you have a Ring doorbell and are now rethinking it? Let us know how you feel about this news below in the comments section.

3 comments

  1. “The Ring Vulnerability”
    The Ring vulnerability is an example of how IoT device manufacturers operate. In the haste to be the firstest with the mostest to the market, Q/A and security get a short shrift.

    “Ring ……………. claimed they removed all the users who were no longer authorized.”
    You mean the names of the users and their passwords are stored on Ring’s servers, rather than locally???!!! What possible justification could there be for Ring, or any other IoT company, to be in possession of that information?! Talk about a security hole!

    “They access your home, leave the package, and exit”
    You hope! How do we know that we can trust the Amazon delivery people? Does Amazon bond them?

    “Jamie Siminoff, Ring’s CEO, acknowledged the vulnerability, noting that eliminating access to a prior user slows the Ring app.”
    ID10T! And this guy is a CEO of a cutting edge tech company???!!!
    When I change any password, I expect the change to take place immediately, not in a couple of hours or couple of days. If eliminating access to a prior user slows the application down, then the application was coded incorrectly originally and its code must be changed ASAP. It also begs the question of why it was coded in this particular way. Is it a backdoor?

    “Does this change your thinking regarding how you use your devices and who you share your passwords with?”
    No. I will never install ANY IoT devices in my home. I do not share my password(s) with anybody.

    • I’m with you. I wouldn’t trust the Amazon delivery service in my home either, whether I had access to watch them on camera or not. If they can’t be trusted with my passwords, I’m not going to trust them to walk into my home. Just leave it on my doorstep. Thanks.

  2. Here is the only way I would use Ring and Amazon delivery: If I had an enclosed front porch with a separate, locked home entrance behind the front porch entrance. Basically Amazon could deliver packages in a semi-secure, convenient location, but not have access to my home.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.

Sponsored Stories