Fortinet Discovers DoorBot Network Configuration Leak Vulnerability
Fortinet's FortiGuard Labs has discovered a network configuration leak vulnerability in DoorBot.
The Doorbot, known as Ring now, is a connected doorbell that comes with network capabilities. It connects to a user's home Wi-Fi and allows the owner to interact with visitors via the doorbell from a smartphone, or receive mobile alerts about every ring on the doorbell. It can also be connected to existing doorbell wiring to allow answering the door using a smartphone.
The vulnerability can be attributed to the poor configuration of its GainSpan Wi-Fi module that provides an API to recover the Doorbot's network configuration in Plain Text.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Jun 04, 2015
No vendor patch so far.
The vulnerability was first reported to the vendor on March 13, 2015. After several rounds of communication, the vendor didn't respond any more. 6 months have passed since last communication, we still didn't get any response on the fix.
This vulnerability was discovered by Ruchna Nigam of Fortinet's FortiGuard Labs.