You’d expect a smart doorbell to instantly boot out everyone the moment you change your password, but that isn’t necessarily the case. The Information has learned that the app for Ring’s video doorbell wasn’t forcing users to sign-in after password changes, regardless of how much time had elapsed — in one case, an ex-partner had been watching the camera for months. Ring said it started kicking people out in January, after receiving word of the incident, but that window of opportunity still lasted several hours in an Information test.
The issue, as you might guess, is that the window exists in the first place. Someone with a still-valid login could not only spy on whatever’s happening, but download videos. The same incident that prompted the change also included phantom rings in the middle of the night.
The flaw provides something of a headache for Amazon, which only acquired Ring in February. If it’s going to use Ring’s doorbells as part of delivery solutions like Amazon Key, it needs to know that the devices are reasonably secure against exploits like this. This is also a reminder that smart home security needs to be particularly tight — a loose policy can easily lead to privacy violations.