Researchers from vulnerability detection firm Tenable discovered seven critical vulnerabilities in Amazon-owned Blink XT2 security camera systems. If exploited, the vulnerabilities could allow hackers to remotely view the camera footage, listen to audio output, and use the infected device to launch distributed denial of service (DDoS) attacks.
In response, Amazon rolled out patches for the vulnerabilities and urged its users to update their devices to firmware version 2.13.11 or later.
Of the seven vulnerabilities identified by Tenable two are critical. These include command injection flaws CVE-2019-3984, which exist in Blink’s cloud communication endpoints, and CVE-2019-3989, which exist in helper scripts on the device. The other five vulnerabilities include CVE-2019-3983, CVE-2019-3985, CVE-2019-3986, CVE-2019-3987, and CVE-2019-3988.
“Connected devices, like Blink cameras, are everywhere. Precisely for that reason, cybercriminals are focused on compromising them,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought.”
“This is especially critical when the device in question is a security camera. We thank Amazon for collaborating with us in this disclosure to ensure patches were released in a timely manner. Tenable Research continues to identify and disclose vulnerabilities across enterprise and consumer technology to keep everyone more secure,” Deraison added.
In a similar kind of discovery, researchers uncovered a flaw in Amazon’s Ring Video Doorbell Pro IoT device that could give hackers unauthorized access to the user’s Wi-Fi network and potentially to other connected devices on it. The vulnerability was discovered by researchers at cybersecurity firm Bitdefender. The researchers stated that all Ring Doorbell cameras have now received a security patch from Amazon to mitigate the issue.
Ring Doorbells are internet-connected doorbells that provide motion-sensing and video surveillance capabilities. It allows users to see and communicate with people outside their doors via an app, even if they’re outside.
According to researchers, the vulnerability stems when the Ring smartphone app sends wireless network connections to the Amazon Ring servers in the cloud. It’s found that this process is taking place in an insecure manner, which can be exploited by bad actors.