SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Blink XT2 surveillance cams patched after 'severe' vulnerabilities found
Fri, 13th Dec 2019
FYI, this story is more than a year old

If you're in the market for home security cameras, it's best to do your research and ensure that the brands on your shortlist put their own security first.

The Amazon-owned Blink XT2 is the latest in a long list of home security camera systems that are far from secure, especially if they aren't patched.

Security firm Tenable Research uncovered seven ‘severe' vulnerabilities in the camera systems, which if exploited, could give attackers full control of an affected device, allowing them to remotely view camera footage, listen to audio output and hijack the device for use in a botnet to perform, for example, distributed denial of service (DDoS) attacks, steal data or send spam.

“To start, compromising the devices via physical access is trivial. As we've covered in the past when looking at similar devices, it's common for vendors and manufacturers to leave debug ports and other such connectors enabled for production runs of the devices. While intended for developers, there is nothing preventing someone else from connecting to these interfaces,” Tenable's James Sebree explains.

Amazon has released patches for the vulnerabilities and users are urged to confirm their device is updated to firmware version 2.13.11 or later.

The vulnerabilities highlight the importance of strong security in products that connect to the internet (otherwise known as internet of things devices).

Despite what seems like an almost eternal message to IoT device manufacturers to put security first, it seems that some still don't listen.

"Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought,” says Tenable's cofounder and chief technology officer Renaud Deraison.

“This is especially critical when the device in question is a security camera. We thank Amazon for collaborating with us in this disclosure to ensure patches were released in a timely manner. Tenable Research continues to identify and disclose vulnerabilities across enterprise and consumer technology to keep everyone more secure."

Sebree explains that consumers can protect themselves by making sure their devices are updated to the latest versions.

“Due to the way the Blink cameras and sync modules connect to and communicate with the Blink cloud infrastructure, updates are generally automatic and strictly enforced.

But the bad news?

“Unfortunately, detecting already compromised devices is tricky since it is possible to bypass or fool these update checks. Other than manually inspecting the devices for rogue functionality or verifying firmware integrity, there isn't much the typical consumer can do on their own to check if they are already compromised.

And to sum up Sebree writes, “As we've said time and time again, IoT surveillance devices are a new norm. From video-enabled doorbells to internet-connected baby monitors, consumers need to be aware of the tradeoffs and risks these devices introduce if they choose to welcome them into their homes.