How Hackers Exploit Smart Doorbells to Steal Your Wi‑Fi Password in Minutes

Vulnerability Overview

Smart doorbell units that integrate Wi‑Fi, video, and audio (e.g., Ring) contain a wireless module supplied by Gainspan. The module includes an embedded web server that can operate in two modes: normal client mode and Access Point (AP) mode.

Attack Procedure

Physical access: By removing two exterior screws the attacker reaches a hidden button on the back of the doorbell.

Mode switch: Pressing the button forces the Gainspan radio to switch from client mode to AP mode.

Connection: The device creates its own Wi‑Fi network (SSID typically derived from the product name). The attacker connects a smartphone or laptop to this network.

Web interface: While connected, the attacker opens a browser and navigates to the module’s built‑in web server (usually http://192.168.0.1/ or a similar local address) using a known URL path.

Configuration leak: The server serves a plain‑text configuration file that contains the home Wi‑Fi SSID and pre‑shared key (PSK). The attacker copies these credentials.

Impact

With the extracted SSID and PSK the attacker gains unrestricted access to the victim’s home network. This enables lateral movement to other IoT devices, data exfiltration, or deployment of additional malware.

Mitigation and Recommendations

Apply the manufacturer’s firmware update that disables the undocumented AP mode or requires authentication before exposing the configuration file.

Restrict physical access to the doorbell housing; tamper‑evident screws or enclosure can deter the initial button press.

Network segmentation: place IoT devices on a separate VLAN or guest network that does not have access to critical resources.

Monitor for rogue Wi‑Fi access points with SSIDs matching the device vendor, and block unknown APs at the router level.