Amazon has released a series of patches for the security camera, but relying on customers to install updates and notice rogue commands is no recipe for security.
Sometimes, what you don’t know and can’t see can really hurt you, and this is especially true in cybersecurity.
This week, Amazon released a series of updates for the Blink XT2 security camera that the company says patches the vulnerabilities in the Sync Module, the extra network device that connects the camera to the cloud. The flaws were first revealed in August, when researchers from Tenable Security published eight vulnerabilities that affect the cameras, which can be used to carry out command injection attacks.
In their report, Tenable states that the optimal solution for the flaw is to “ensure devices are updated to firmware version 2.13.11 or later.”
In a Medium post, Tenable’s Principal Research Engineer James Sebree says that the flaws include “three-ish” vectors of attack “which could potentially allow attackers to take further action against an end user’s entire account and associated cameras.”
Sebree called compromising the devices via physical access “trivial” and that there is nothing preventing someone from connecting to the de3busg ports and other connectors enabled for production runs of the cameras. That said, such an attack would require that the attacker be in direct contact with the device for at least a few minutes. From the user’s home network however, a malicious actor could make their way into the device.
What does Sebree suggest? He says that “other than manually inspecting the devices for rogue functionality or verifying firmware integrity, there isn’t much the typical consumer can do on their own to check if they are already compromised.”
And what about users who don’t know how to spot rogue functionality or inspect their firmware integrity? What if users can’t tell if their device has already been compromised? These users are left to rely upon the device’s automatic updates and hope that Amazon stays a step ahead of the people looking to exploit these flaws.
Tenable’s report is further evidence of the importance of built-in cybersecurity that requires no user intervention throughout the lifecycle of the device. According to a recent poll carried out for Karamba, entitled “Consumer Attitude Towards IoT Security,” 74% of respondents expect their consumer “Internet of Things” devices to be secured by manufacturers, and 87% believe it is the responsibility of manufacturers to build security into these devices.
The survey also revealed that consumers are concerned about the security of “smart home” devices like Blink XT2, with 50% saying they were more concerned about their IoT devices being attacked than their home being burglarized.
What can be done? While the new updates for Blink XT2 should make these devices far more secure than before, a more permanent solution is needed. For the sake of the privacy and security of consumers, manufacturers must install built-in security in their connected devices, which can dynamically react to new threats, and adhere to the approved manufacturer settings of the product for as long as they are in operation.