"Vulnerability in Amazon Ring App Allowed Access to Private Camera Recordings"
Attackers could have exploited a vulnerability in the Android version of the Ring app, which is used to remotely manage Amazon Ring outdoor (video doorbell) and indoor surveillance cameras, to extract users' personal data and device data, including geolocation, address, and recordings. Checkmarx researchers discovered the vulnerability and went on to demonstrate how an attacker could later analyze large numbers of recordings using computer vision technology to extract additional sensitive information such as computer screens or paper documents and material such as video records or images of children. If attackers were successful in convincing Ring users to download a specially crafted malicious app, the app could have exploited the vulnerability to obtain the authentication token and hardware ID, allowing attackers to access the customer's Ring account via multiple Ring Application Programming Interfaces (APIs). This would have allowed them to steal the victims' personal information (name, email, phone number) as well as Ring device data (geolocation, address, and recordings) from the cloud. The flaw could have also allowed attackers to harvest millions of recordings from a large number of users and automate the discovery of sensitive information or materials using Machine Learning (ML) technology. Amazon Rekognition can be used to automate the analysis of these recordings and extract information that malicious actors might find useful. According to the researchers, Rekognition can scan an infinite number of videos and detect objects, text, faces, and public figures, among other things. This article continues to discuss the potential exploitation and impact of the Amazon Ring app vulnerability.