Earlier this month, some owners of a smart doorbell — a security camera and intercom device for the front door — found out that their gadget was sending tiny packets of data to somewhere it shouldn’t: China.
The doorbell, made by Los Angeles-based startup Ring, is supposed to send user video and audio data to Amazon Web Services servers. But, unknown to even the company, tiny packets of audio data were also being routed to a server in China run by Chinese internet giant Baidu at seemingly random intervals.
A Reddit user discovered the strange traffic coming off their device and put up a post about it. Users were concerned. A week later, a post on the website IoT For All stoked the flame with a piece called “Huge Vulnerability Discovered in the Ring Doorbell.”
Ring tried to move fast. Within five days of the Reddit post, the company’s chief technology officer, Joshua Roth, responded to the original thread, explaining the data being sent to China is only 20 milliseconds of audio data and that it doesn’t represent any security vulnerability. It promised a firmware update to all Ring Video Doorbell Pro devices — the only Ring device affected with the bug — to stop the connection to the Chinese server.
Last week, Ring hired consulting firm Tevora to audit the device and make sure nothing was wrong. In the report seen by Forbes, the consultancy confirmed that the device was secure and now no longer communicating with Chinese servers. The flaw existed in firmware version 1.4.26, but was no longer present in updated version 1.4.29. Tevora said it classified the issue not as a vulnerability but as simply a harmless bug.