sb-nz logo
Story image

Blink XT2 surveillance cams patched after 'severe' vulnerabilities found

13 Dec 2019

If you’re in the market for home security cameras, it’s best to do your research and ensure that the brands on your shortlist put their own security first.

The Amazon-owned Blink XT2 is the latest in a long list of home security camera systems that are far from secure, especially if they aren’t patched.

Security firm Tenable Research uncovered seven ‘severe’ vulnerabilities in the camera systems, which if exploited, could give attackers full control of an affected device, allowing them to remotely view camera footage, listen to audio output and hijack the device for use in a botnet to perform, for example, distributed denial of service (DDoS) attacks, steal data or send spam.

“To start, compromising the devices via physical access is trivial. As we’ve covered in the past when looking at similar devices, it’s common for vendors and manufacturers to leave debug ports and other such connectors enabled for production runs of the devices. While intended for developers, there is nothing preventing someone else from connecting to these interfaces,” Tenable’s James Sebree explains.

Amazon has released patches for the vulnerabilities and users are urged to confirm their device is updated to firmware version 2.13.11 or later.

The vulnerabilities highlight the importance of strong security in products that connect to the internet (otherwise known as internet of things devices).

Despite what seems like an almost eternal message to IoT device manufacturers to put security first, it seems that some still don’t listen.

"Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought,” says Tenable’s cofounder and chief technology officer Renaud Deraison.

“This is especially critical when the device in question is a security camera. We thank Amazon for collaborating with us in this disclosure to ensure patches were released in a timely manner. Tenable Research continues to identify and disclose vulnerabilities across enterprise and consumer technology to keep everyone more secure."

Sebree explains that consumers can protect themselves by making sure their devices are updated to the latest versions.

“Due to the way the Blink cameras and sync modules connect to and communicate with the Blink cloud infrastructure, updates are generally automatic and strictly enforced.”

But the bad news?

“Unfortunately, detecting already compromised devices is tricky since it is possible to bypass or fool these update checks. Other than manually inspecting the devices for rogue functionality or verifying firmware integrity, there isn’t much the typical consumer can do on their own to check if they are already compromised.”

And to sum up Sebree writes, “As we’ve said time and time again, IoT surveillance devices are a new norm. From video-enabled doorbells to internet-connected baby monitors, consumers need to be aware of the tradeoffs and risks these devices introduce if they choose to welcome them into their homes.

Story image
Trend Micro integrates with AWS Network Firewall
As a Launch Partner, Trend Micro has integrated managed threat intelligence feeds from its cloud security solution to enable superior protection in line with this new AWS managed firewall service.More
Story image
Ivanti extends ESM automation capabilities with latest additions
Ivanti has made additions to its Enterprise Service Management (ESM) portfolio, with greater automation capabilities between service management and SecOps. More
Story image
Why 2021 will be the year of catch-up
The transition to remote work and new online contactless business models is not temporary and is affecting the future strategy on how organisations invest in cybersecurity, writes Radware vice president and managing director for EMEA and LATAM, Rob Hartley.More
Story image
Frost & Sullivan: Firewalls to drive network security market
Enterprises’ heightened threats from criminal entities and state-sponsored actors are strongly encouraging them to adopt network security solutions.More
Story image
DevSecOps increasingly important, but APAC organisations lagging behind
The rise of DevSecOps comes at a time when IT leaders are faced with an increasingly active cyber threat landscape, coupled with higher consumer expectations of digital offerings and application usage due to a sharp increase in online activities.More
Story image
Research: NZ easy-pickings for cyber-criminals
One in ten businesses would be willing to pay $50,000-plus to retrieve ransomed data and half aren’t aware of the incoming data privacy laws.More