December 10, 2019
Threat actors could gain complete control of the Amazon-owned security cameras to obtain personal information and launch further attacks
Tenable®, Inc., the Cyber Exposure company, today announced that its research team has discovered seven severe vulnerabilities in Amazon-owned Blink XT2 security camera systems. If exploited, the vulnerabilities could give attackers full control of an affected device, allowing them to remotely view camera footage, listen to audio output and hijack the device for use in a botnet to perform, for example, distributed denial of service (DDoS) attacks, steal data or send spam.
According to Strategy Analytics, over 50 million smart home cameras were sold in 2018. However, these devices are also a potential gateway for bad actors to gain access to personal information and home networks. If exploited, the flaws in Blink XT2 allow an attacker to obtain sensitive information about the owner’s account, enabling them to view stored photographs and videos, add or remove devices from the account or block camera communications entirely.
“Connected devices, like Blink cameras, are everywhere. Precisely for that reason, cybercriminals are focused on compromising them,” said Renaud Deraison, co-founder and chief technology officer, Tenable. "Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought. This is especially critical when the device in question is a security camera. We thank Amazon for collaborating with us in this disclosure to ensure patches were released in a timely manner. Tenable Research continues to identify and disclose vulnerabilities across enterprise and consumer technology to keep everyone more secure."
As the attack surface expands with the adoption of connected devices, including IoT and operational technology (OT), foundational cybersecurity is paramount. Tenable is leading the charge by building the largest vulnerability intelligence knowledge base in the industry and one of the largest security research teams, which has surpassed its 100th zero-day discovery in 2019. Its extensive vulnerability research and expertise spans beyond traditional IT and includes everything from critical infrastructure to enterprise applications. Tenable works alongside vendors and the entire security community to identify, disclose and patch vulnerable technology to keep organizations and their customers more secure.
Amazon has released patches for the vulnerabilities and users are urged to confirm their device is updated to firmware version 2.13.11 or later.
For more information, visit the Tenable Research Medium blog.
Tenable®, Inc. is the Cyber Exposure company. Over 27,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include more than 50 percent of the Fortune 500, more than 25 percent of the Global 2000 and large government agencies. Learn more at www.tenable.com.
443-545-2102, x 1544