I live in a large apartment complex (it’s literally a city block big), so I spend a disproportionate amount of time walking down corridors. Recently one of my neighbours installed a Ring wireless doorbell. By default these are motion activated (and the process for disabling motion detection is far from obvious), and if the owner subscribes to an appropriate plan these recordings are stored in the cloud. I’m not super enthusiastic about the idea of having my conversations recorded while I’m walking past someone’s door, so I decided to look into the security of these devices.
One visit to Amazon later and I had a refurbished Ring Video Doorbell 2™ sitting on my desk. Tearing it down revealed it uses a TI SoC that’s optimised for this sort of application, linked to a DSP that presumably does stuff like motion detection. The device spends most of its time in a sleep state where it generates no network activity, so on any wakeup it has to reassociate with the wireless network and start streaming data.
So we have a device that’s silent and undetectable until it starts recording you, which isn’t a great place to start from. But fortunately wifi has a few, uh, interesting design choices that mean we can still do something. The first is that even on an encrypted network, the packet headers are unencrypted and contain the address of the access point and whichever device is communicating. This means that it’s possible to just dump whatever traffic is floating past and build up a collection of device addresses. Address ranges are allocated by the IEEE, so it’s possible to map the addresses you see to manufacturers and get some idea of what’s actually on the network even if you can’t see what they’re actually transmitting. The second is that various management frames aren’t encrypted, and so can be faked even if you don’t have the network credentials.
The most interesting one here is the deauthentication frame that access points can use to tell clients that they’re no longer welcome. These can be sent for a variety of reasons, including resource exhaustion or authentication failure. And, by default, they’re entirely unprotected. Anyone can inject such a frame into your network and cause clients to believe they’re no longer authorised to use the network, at which point they’ll have to go through a new authentication cycle – and while they’re doing that, they’re not able to send any other packets.
So, the attack is to simply monitor the network for any devices that fall into the address range you want to target, and then immediately start shooting deauthentication frames at them once you see one. I hacked airodump-ng to ignore all clients that didn’t look like a Ring, and then pasted in code from aireplay-ng to send deauthentication packets once it saw one. The problem here is that wifi cards can only be tuned to one frequency at a time, so unless you know the channel your potential target is on, you need to keep jumping between frequencies while looking for a target – and that means a target can potentially shoot off a notification while you’re looking at other frequencies.
But even with that proviso, this seems to work reasonably reliably. I can hit the button on my Ring, see it show up in my hacked up code and see my phone receive no push notification. Even if it does get a notification, the doorbell is no longer accessible by the time I respond.
There’s a couple of ways to avoid this attack. The first is to use 802.11w which protects management frames. A lot of hardware supports this, but it’s generally disabled by default. The second is to just ignore deauthentication frames in the first place, which is a spec violation but also you’re already building a device that exists to record strangers engaging in a range of legal activities so paying attention to social norms is clearly not a priority in any case.
Finally, none of this is even slightly new. A presentation from Def Con in 2016 covered this, demonstrating that Nest cameras could be blocked in the same way. The industry doesn’t seem to have learned from this.
 The Ring Video Doorbell 2 just uses addresses from TI’s range rather than anything Ring specific, unfortunately