The Ring WiFi doorbell, an IoT device, not only allows users to view whomever is on their doorstep via the internet from a mobile device when they are not home, but also gives away the homeowners WiFi password.
However, Pen Test Partners discovered a vulnerability in Ring that reveals the WiFi password of the homeowner. The doorbell can be easily detached from the wall outside of a home. An orange button on the back of the bell will set the wireless component to AP (Access Point) mode when pressed.
Once in AP mode, hackers can use their mobile device to connect to the server through a specific URL to gain access to the homeowner's wireless network. The URL will then reveal the wireless module's configuration file in the browser that contains the home WiFi network SSID and password.
Then all the hacker has to do is put the doorbell back on the outside of the house and go away. Hackers can then initiate other exploits against the victim with access to their network.
Pen Test Partners said that Ring released a firmware update two weeks after they were privately advised of the flaw.