I must post a warning at the beginning of this post for anyone reading, this is not for educational purpose, rather consider this as a working POC. So , follow these if you are absolutely certain that you want yo disable a Ring security camera.
Ring security camera systems , surprisingly are vulnerable to de-auth attacks and to perform such attack and throwing the camera offline, we don’t need any other device (like wife jammer etc).
De-auth attacks are very simple, we craft and send Deauthentication requests to the Client (Ring device) , they being obedient heartless machines, follow the requests and disconnect themselves from the AP they were connected to.
1. We start by listing all the Wireless Network interfaces I have by a simple command iwconfig
I have two Network Interfaces wlan0 and wlan1
I use wlan0 for connecting to Internet. So decided to use the other one wlan1 for thos purpose. You don’t need two interfaces. Only thing is once we enable monitor mode, that interface will not be able to access Internet.
2. Enable monitor mode on wlan1 : Now we need to enable monitor mode on wlan1. Once enabled wlan1 can be used to capture all the packets flying around within range. And soms details of thos packets.
We start monitoring mode on wlan1 by the command airmon-ng start wlan1
The output will tell us if the monitoring been enabled successfully or not.
Now if you list wireless interfaces it will tell taht wlan1 is working in monitoring mode
3. Start monitoring the packets: Now we jave wlan1 interface working in monitoring mode, we can start capturing packets from within range. This will capture all Sync packets and display the header the command airodump-ng wlan1
This is an interesting output, I can talk about all the columns in a seperate post where I will explain a generic Wifi jammer but for now lets look at only the columns we are interested in this case
BSSID : The MAC address of the AP
ESSID: The name of the AP
In seperate post I will explain the importance of PWR , ENC , AUTH and CH columns but for now we are good.
92FFAF is the AP where my Ring devices are connected.
4.Once we get the BSSID that is MAC address of the exact AP that we need , we can execute airodump only for this AP and get a list of Clients (stations) connected to it.
airodump-ng -d 58:19:F8:F0:51:0D wlan1
Perfect , we see two devices / clients / stations – one is my phone and
other one from MAC address we can tell is the Ring Camera of my garage.
You initially may not see the station/client you wanted here even though taht seems connected. Remember the connected device must perform some activity/ pacaket transfer to-from AP/Router.
So for mobile , i refreshed a browser, for Ring camera go and dance in front of it probably 😄
5. Start sending de-auth signal to the router to disconnect this Station.
aireplay-ng -0 0 -a <MAC address of AP / BSSID> -c < MAC address of the Station/ Camera> -D <interface name>
This will start sending de-auth to AP telling to disconnect that station. -0 0 will make it an infinite loop
At this , I tried openning the Ring Camera for Garage, and it is not loading up
The Camera has been blinded , its the time.
Again as I said this post was not for educational purpose, and rather its a Proof of Concept , hence I skipped many explanations.
Hope next time before telling “Protected By Ring” you can think about me.
Happy hacking.
