Tenable today announced that its research team has discovered seven severe vulnerabilities in Amazon-owned Blink XT2 security camera systems. If exploited, the vulnerabilities could give attackers full control of an affected device, allowing them to remotely view the camera footage, listen to the audio output and hijack the device for use in a botnet to perform, for example, distributed denial of service (DDoS) attacks, steal data or send spam.
According to Strategy Analytics, over 50 million smart home cameras were sold in 2018. However, these devices are also a potential gateway for bad actors to gain access to personal information and home networks. If exploited, the flaws in Blink XT2 allows an attacker to obtain sensitive information about the owner’s account, enable them to view stored photographs and videos, add or remove devices from the account or block camera communications entirely.
“Connected devices, like Blink cameras, are everywhere. Precisely for that reason, cybercriminals are focused on compromising them,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought. This is especially critical when the device in question is a security camera. We thank Amazon for collaborating with us in this disclosure to ensure patches were released promptly. Tenable Research continues to identify and disclose vulnerabilities across the enterprise and consumer technology to keep everyone more secure.”
Amazon has released patches for these vulnerabilities and users are urged to confirm that their device is updated to firmware version 2.13.11 or later.