By John Gruber
Stop political robocalls & texts with Nomorobo!
24% off with code DARINGFIREBALL24.
Computing:
Once the device is reset, it starts the process of pairing itself with the owner’s Wi-Fi network. Because the exchange of information between the device and the app is performed via an unsecured HTTP connection, it enables a hacker within range of the Wi-Fi network to intercept the login details.
The patch released by Ring to mitigate the vulnerability ensures that the device uses an HTTPS connection while broadcasting a Wi-Fi signal for the phone to grab. The connection is also secured through a digital certificate, signed by the firm and validated by the app.
Ring was using HTTP? That seems less like a mistake and more like gross incompetence.
★ Friday, 8 November 2019