sb-as logo
Story image

Blink XT2 surveillance cams patched after 'severe' vulnerabilities found

13 Dec 2019

If you’re in the market for home security cameras, it’s best to do your research and ensure that the brands on your shortlist put their own security first.

The Amazon-owned Blink XT2 is the latest in a long list of home security camera systems that are far from secure, especially if they aren’t patched.

Security firm Tenable Research uncovered seven ‘severe’ vulnerabilities in the camera systems, which if exploited, could give attackers full control of an affected device, allowing them to remotely view camera footage, listen to audio output and hijack the device for use in a botnet to perform, for example, distributed denial of service (DDoS) attacks, steal data or send spam.

“To start, compromising the devices via physical access is trivial. As we’ve covered in the past when looking at similar devices, it’s common for vendors and manufacturers to leave debug ports and other such connectors enabled for production runs of the devices. While intended for developers, there is nothing preventing someone else from connecting to these interfaces,” Tenable’s James Sebree explains.

Amazon has released patches for the vulnerabilities and users are urged to confirm their device is updated to firmware version 2.13.11 or later.

The vulnerabilities highlight the importance of strong security in products that connect to the internet (otherwise known as internet of things devices).

Despite what seems like an almost eternal message to IoT device manufacturers to put security first, it seems that some still don’t listen.

"Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought,” says Tenable’s cofounder and chief technology officer Renaud Deraison.

“This is especially critical when the device in question is a security camera. We thank Amazon for collaborating with us in this disclosure to ensure patches were released in a timely manner. Tenable Research continues to identify and disclose vulnerabilities across enterprise and consumer technology to keep everyone more secure."

Sebree explains that consumers can protect themselves by making sure their devices are updated to the latest versions.

“Due to the way the Blink cameras and sync modules connect to and communicate with the Blink cloud infrastructure, updates are generally automatic and strictly enforced.”

But the bad news?

“Unfortunately, detecting already compromised devices is tricky since it is possible to bypass or fool these update checks. Other than manually inspecting the devices for rogue functionality or verifying firmware integrity, there isn’t much the typical consumer can do on their own to check if they are already compromised.”

And to sum up Sebree writes, “As we’ve said time and time again, IoT surveillance devices are a new norm. From video-enabled doorbells to internet-connected baby monitors, consumers need to be aware of the tradeoffs and risks these devices introduce if they choose to welcome them into their homes.

Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Story image
APAC organisations struggle to find balance between digital adoption and cybersecurity
Organisations in the Asia Pacific (APAC) region are significantly concerned about security threats, but nevertheless are looking to advance operations through digital adoption.More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More