36 comments

[ 3.5 ms ] story [ 70.3 ms ] thread
I thought I recognized the packaging. Turns out this was 'DoorBot' from Shark Tank that got renamed to 'Ring.'

They ended up getting a $28MM investment from Richard Branson for a $60MM valuation after getting a shoddy deal on the tank: http://www.businessinsider.com/ring-from-shark-tank-to-richa...

Good on them.

I'm surprised that they received such a negative reception on SharkTank. Unlike most IoT products I've seen, this really seems like a great idea.
because a tv show where the star main deal was stealing a billion from Yahoo for a product that never was live (broadcast.com) should be infallible?
It's not a new idea though. There are a few other companies making the same thing.
Ring pulls it off better, in my opinion. Installation is dead simple, the app works fairly well, and the product is well-designed, all the way down to the packaging/install kit.

I've tried a few other similar products and just haven't been nearly as satisfied with the experiences (mostly due to software quirks).

Ring, like Nest, was simple enough that my technically inept parents managed to deploy and use it without my intervention. That says a lot.

Interesting, if you place electronic hardware outside, thieves can steal information from it!
Soon it may be as easy as walking up to a mailbox for sensitive information or lifting a package from a porch!
not just a low-level exploit but an actual fatal design flaw. oops.

software engineers for IoT should really be forced to participate in security training.

From this comment and the one about the memory wipe I get the feel that there is a notion that hardware-based (anti-tampering) security is the only solution to this problem.

Isn't a straightforward software solution is to make the PSK write-only or protected by a different, changeable password?

serious question: what would be a better way to store the wifi credentials protected against the device theft?
Wipe the memory when the back-plate is removed? It certainly isn't perfect but will make it harder.
do what every lock do for the last century: do not leave screws outside.

further, I'd have one module inside the door, a little wire just connecting a dumb button to the outside.

granted installation would require a single drill hole, but it wouldn't be a huge fail like this.

But the module seems to have a camera.
Make it two drill holes then.
Or just fit the camera in the bell push housing.
Bluetooth to wifi bridge.
Host its own wifi, with small preconfigured bridge device to plug into spare ethernet port of router?
Unfortunately if the unit isn't wired in, you have to remove it for charging meaning redoing setup when the battery gets low.
A base module inside the house instead of using the wireless directly. The doorbell would talk to the base module over some type of encrypted connection using a separate wireless network or bluetooth, and the module in the house would be plugged into the network, either over ethernet or wireless. The connection between the base and the doorbell would be configured to only allow for the voice/video/doorbell functions and that's it.
Even from a theft perspecive it is bad design practise to have this placed outdoor... Why not place only the camera and button outdoor and have a simple wire connection to the wifi module.

It's such a design flaw it becomes even funny

Because 95+% of consumers would rather have something simple to install rather than something that requires drilling holes in their house or professional installation.
But presumably the existing doorbell would already have simple wires running inside?
You can either wire it in to an old doorbell for power or you can disconnect it periodically and recharge via USB.
How is this device powered? Do you have to charge it or is it connected to an outlet in some way? I'm thinking that you might already have to drill a hole for power.
Why would someone steal a doorbell? Vandalise, sure, but steal it?
I might be missing something, but .. in this case? I thought that this thing is completely wireless and probably can be firmware reset.

So - you steal it, because you can actually install it at home (or resell it for that purpose). You don't steal a (broken) part of a doorbell, you steal a complete IoT device that the thread here and the original article seem to consider useful.

https://ring.com/store/products/ring-doorbell - it's $200..

I'm sure ring can disable the doorbell remotely since you have to link the individual device to your account.
Interestingly, recently either there was a problem with my Ring's clips or someone tried to pry it off (and ironically wasn't captured on video). Any kind of exterior security device is vulnerable unless you can drill the access points into a building; at the same time, you're really using these as deterrents.
It doesn't seem all that serious. If somebody's going to be removing parts of your house, they're putting themselves are far greater risk of arrest than a hacker hiding behind the internet. Why not just slash their tires or start a fire while you're there? Even having the wifi password doesn't necessarily give you access to anything but their internet connection anyway.
Use wifi password to change nameservers on router (assuming router is using default admin user:pass) find which online bank they're using and clone the site's homepage with a passthrough form to steal credentials. Et cetera.

Seems useful to a crook.

It would be interesting to do a similar device, but based around a peephole rather than a doorbell. I'll call it Peep.

Peep will require a little more work to install than Ring, so won't be quite as convenient.

You'd remove the existing peephole, and then attach Peep through the hole. Peep would have an outside component that contains the camera, microphone, and speaker, and an inside component that contains a display and the wifi unit.

The place where the outside component connects to the inside would be on the inside, so from outside you can not simply detach the outside component like you can with Ring.

The inside component would also contain a microphone and a vibration sensor, so that it can tell when someone rings the doorbell or knocks on the door.

Although Peep installation would not be as easy as installing Ring, it shouldn't be too bad since it reuses the peephole hole so you do not have to make any new holes.

Mount it on the inside, flush with the existing peep-hole + macro optics.
What I'm curious to know: if you own the network, how hard is it to spoof a response from the Ring server telling the doorbell to open the lock (Assuming one is already configured).
Don't forget to scroll down to the end of the article. Spoiler alert: they fixed it. "A firmware update was released earlier this week that fixes this issue, just two weeks after we disclosed it to them privately. Good job Ring!"
Seems like if they send the people a new device in the mail it would be more valuable to see if the camera and other components were salvageable -- then I could see people stealing them for pieces :/