I have a love/hate relationship with my Ring Doorbell. When I purchased it in 2016 it worked great for a year with minimal issues. As it became more popular, I noticed the quality dropped with video freezes, black videos, and missed motion events. This led me to the Ring Doorbell subreddit where I found a community of users who were also experiencing the same issues. This made me feel a bit better (misery loves company, right?) but still disappointed that this $250 doorbell no longer lived up to its promise.
A number of the users who shared their negative feedback traced some of the poor service to firmware changes. It soon became commonplace to post your issues along with the firmware version your device was currently running. Pretty basic troubleshooting practice. So it was much to everyone’s dismay when in late 2017, Ring decided to change how they displayed firmware versions. In short, if your device is on the latest version the mobile app would only display, “Up to Date” as opposed to an actual firmware version number. But without an actual firmware version number to compare with others, for all you know your device may actually be on an older version but hasn’t properly updated itself such that it merely *thinks* it is up to date. Presumably, if it was actually out of date, it will display a version number, but this is useless as you cannot manually force an upgrade. And again, you can’t compare with others to know which version you should actually be on. This also makes it difficult to track changes that Ring is making and correlate them to your device’s performance improvements or degradations. As you might imagine, there was a lively Reddit discussion on this.
Being in the information security field, I know that software version numbers are critical to confirming that my application is fully patched against any identified security vulnerabilities. Naturally, I was disappointed by this change and soon looked for ways to determine the version number using, what else? My Palo Alto firewall.
I knew my Ring Doorbell had to communicate with Ring’s servers in some way to check if it was running the latest firmware version. I figured an easy way for Ring to do this is via user agent strings. So I first checked the Monitor tab to see if the user agent of the device appeared in the URL Filtering view. Sadly, the user agent field was blank suggesting that it wasn’t normal http traffic that this information was in. Still feeling confident that the user agent must be somewhere, I decided to run a packet capture through the Palo Alto via Monitor -> Packet Capture.
- Navigate to Configure Filtering -> Manage Filters.
- Click Add and configure the Source with the IP address of your Ring Doorbell. I have mine statically assigned via my DHCP server but this should be fairly easy for you to determine either in your wireless router or your Palo Alto firewall. Click OK when done.
4. In Configure Capturing click Add and select firewall for Stage and give your packet capture a file name. In this example I’ve used ringdoorbell. Click OK and your view should look like the one below.
5. Once you’re ready, in the same view set Packet Capture to ON. You’ll receive a warning about packet captures degrading system performance and to remember to disable the feature once you’re done. Click OK to proceed.
6. Now we need to generate some traffic through the doorbell to hopefully find the user agent string in the packet captures. Start a Live View session through your Ring mobile app and let it run for at least 30 seconds. Once completed, set Packet Capture back to OFF.
8. You’ve got a few options to view this file. Since I’m on a MacBook Pro, I’ll walk through how to use tcpdump to quickly find the user agent. You could also use Wireshark to accomplish this.
Locate the file on your system and use the following tcpdump command: tcpdump -nn -r ringdoorbell.pcap -A | grep -i agent
tcpdump -nn -r ringdoorbell.pcap -A | grep -i agent
reading from file ringdoorbell.pcap, link-type EN10MB (Ethernet)
Voila! You can see that my user agent shows that my Ring is on firmware version 1.13.00069. From here, I could look for ways to automate this or periodically run this check manually and compare with previous captures to see if I can correlate Ring issues with changing firmware numbers. Another way to possibly do this is to use my favorite security tool Bro to extract this automatically in real time.
I hope that Ring strongly reconsiders this change and reverts back to displaying the full firmware version number. But in the meantime, I (and now you!) have a way to accurately determine this value.