Once the device is reset, it starts the process of pairing itself
with the owner’s Wi-Fi network. Because the exchange of
information between the device and the app is performed via an
unsecured HTTP connection, it enables a hacker within range of the
Wi-Fi network to intercept the login details.
The patch released by Ring to mitigate the vulnerability ensures
that the device uses an HTTPS connection while broadcasting a
Wi-Fi signal for the phone to grab. The connection is also secured
through a digital certificate, signed by the firm and validated by
Ring was using HTTP? That seems less like a mistake and more like gross incompetence.