Amazon security: Patches fix multiple flaws exposing Blink cameras to hijacking

The vulnerabilities could be exploited by a friend or contractor who secretly wants to harm you.

Crooks can hack your IoT cameras and show fake footage

Amazon has released updates to its Blink XT2 home security cameras after researchers discovered multiple flaws that could let nearby hackers hijack the cameras. 

Researchers at Tenable Security reported several command-injection vulnerabilities to Amazon in August, which the company began rolling fixes out for in December. Users of Blink XT2 cameras should check that their firmware is version 2.13.11 or later, says Tenable. 

The flaws relate to the security camera's Sync Module, an extra network device that acts as a hub between the camera and the cloud. The Module allows users to divvy up the home into camera zones – for example, to control multiple cameras inside and outside the house, which the user may want to operate at different times. 

SEE: 10 tips for new cybersecurity pros (free PDF)

But the Sync Module flaws could allow an attacker to harm the user's account and connected cameras, including controlling cameras, disabling devices, viewing stored pictures and videos, and adding rogue devices to an account. 

The command-injection flaws on the Sync Module were found in the cloud communication devices for providing updates or fetching network information. 

"When checking for updates, the device first obtains an update helper script (sm_update) from the web, and then immediately runs the content of this script with zero sanitation," explained James Sebree, a principal research engineer at Tenable

This issue could then be exploited by a man-in-the-middle (MitM) attack to manipulate the response.   

"If an attacker is able to MitM this request (either directly or indirectly – through some sort of DNS poisoning or hijacking), they can modify the contents of this response to suit their own needs or desires."

The other command-injection vulnerabilities were also due to insufficient sanitization of user-supplied input. For example, a bogus username and wrong process from the setup prompts in the mobile app were enough to start an SSH server on the sync module. 

The researchers also discovered a flaw that required physical access to the device to exploit. However, this does not pose a major threat to users.

SEE: This new ransomware is targeting companies across Europe and the US

"The most obvious attack scenario for this flaw would be some sort of insider threat – babysitters, house or petsitters, Airbnb guests, or anyone else with somewhat privileged access to your home," noted Sebree.    

While users can be fairly well assured Blink cameras and Sync Modules will receive updates, Sebree notes that it's difficult to detect already compromised devices, which would require specialized skills to inspect the devices for rogue functionality and verify firmware integrity.