Ring app continues to allow access after password change

The popular Ring video doorbell has been found to have a significant security flaw which allows a previously authenticated user to continue accessing the app even after the password has been changed. 

While the reporting on this has cited the Ring Video Doorbell specifically, this issue would pertain to any Ring devices associated with the affected account as it would appear to be related to the back end services authentication approach rather than anything specific to the hardware or firmware. 

While Ring has released a statement on this issue, it’s not yet clear the problem has been addressed.

 “Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security.

"We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring's "Shared Users" feature. This way, owners maintain control over who has access to their devices and can immediately remove users.

"Our team is taking additional steps to further improve the password change experience."

Calling this a problem with the ‘Password change experience’ is a bit amusing. Changing ones password actually locking people out is pretty fundamental, we’re not talking about a UI issue here. Nonetheless, Ring’s advice is also pretty fundamental: Don’t share your password!  This is security 101 for any service, but there is a catch. While Ring does now provide a feature to share access to your devices, as many cloud-based smart devices do, this was not always the case.

Back when Ring was a startup running their first doorbell product, DoorBot, the app did not have such a feature. Families who wanted to have access to the same doorbell needed to share the password of the DoorBot account. Those who later upgraded to a Ring Video Doorbell would likely have used the same account, and set up the app the same way. 

Security practices aside, the more concerning issue with this flaw is that Ring knew about this issue at least by January 2018, and implemented a fix. However, testing showed that a window still exists after changing the password for several hours. This would imply that a specific instance of the Ring app is given an authentication token by the back end service which persists, and is only challenged periodically.

While the need to enable an authenticated user to be able to open the app quickly on demand is a necessary convenience for a service which is time dependant (you need to be able to answer the doorbell in a limited time window), this is not a new problem to solve. It’s a but surprising that it’s taking this long to resolve given Ring’s past good security record.

It’s important to note that although this is being described as a ‘major’ security flaw, it only effects Ring users who have shared their password, and now want to cut that person off. There is no known exposure outside of legitimately authenticated users.