Multiple high-severity vulnerabilities have been discovered in Amazon-owned Blink XT2 security camera systems, which if exploited could give attackers complete control over them.
The internet of things (IoT) cameras (not to be confused with the Blink open-source browser engine), consist of a wireless camera and monitoring system for consumers. The flaws could enable attackers without access to the devices to view camera footage, listen to audio output and hijack the device for use in a botnet, Tenable researchers disclosed on Tuesday. Amazon has been notified of the flaws and has rolled out patches.
“Connected devices, like Blink cameras, are everywhere. Precisely for that reason, cybercriminals are focused on compromising them,” said Renaud Deraison, co-founder and CTO with Tenable, in a statement. “Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought. This is especially critical when the device in question is a security camera.”
Overall, seven CVEs were disclosed in Blink. The most serious vulnerability is a command injection flaw stemming from the sync module update (CVE-2019-3984), which exists in Blink’s cloud communication endpoints for providing updates to devices or obtaining network information.
When checking for updates, the device first obtains an update helper script (sm_update) from the web, and then immediately runs the content of this script – but with zero sanitation. That means the update scripts that retrieve updates remotely feed data directly to “os.execute()”, without any validation.
“If an attacker is able to [man-in-the-middle] this request (either directly or indirectly — through some sort of DNS poisoning or hijacking), they can modify the contents of this response to suit their own needs or desires,” researchers said.
Researchers were able to hijack the DNS lookups for the “.server” variable on Blink’s sync modules, for instance, allowing them to hijack requests intended for “<blink for home cloud endpoint>/fw/update_tls/<version number>” and return their own customized responses (such as “echo “Update hijacked.” && id”). These are then fed directly to “os.execute” within /root/apps/connection/start_get_sm_update.
Researchers also discovered failed sanitization (CVE-2019-3989) in a function called “get_network()”, which exists in other helper scripts on the device. External output received by the “get_networks()” function in /root/apps/auth_gen/auth_gen is not properly validated (before it’s fed directly to “os.execute()”), which could lead to remote code execution with root access, researchers said.
“While this function does not appear to be used during the course of normal operation, if it ever is, another command injection point exists due to failed sanitation,” said researchers. “We have manually triggered this function in order to verify this flawed functionality.”
Researchers acknowledged that while these two flaws “have a significant impact,” they are more easily exploited from an attacker already connected to a home network.
“It is possible for these flaws to be remotely exploited, but unlikely due to the many external factors at bay,” Jimi Sebree, principal research engineer at Tenable, told Threatpost. “While being able to poison the device’s DNS cache, getting the device to somehow connect to an attacker-controlled endpoint, or taking control of the update server are all possible, they involve many unknowns that make attacks unreliable. If successfully exploited, these flaws would give attackers complete control of the device.”
Other Flaws
Researchers also disclosed five other, less serious vulnerabilities, including four CVEs stemming from Wi-Fi configuration parameters in Blink failing to sanitize user-supplied input in some of the internal management scripts (CVE-2019-3985, CVE-2019-3986, CVE-2019-3987, CVE-2019-3988). Because the parameters are passed and executed without sufficient sanitization, it allows command injection as the root user. Researchers also disclosed a flaw in exposed header pins that could allow a serial connection to sync module, which then enables root access to the device with easily bypassed default credentials (CVE-2019-3983).
However, “the flaws disclosed regarding Wi-Fi configuration parameters are unlikely to be abused by a malicious actor because they would require access to these parameters at the time of device setup,” said researchers. “These flaws, along with the unprotected UART interface [CVE-2019-3983], are more likely to be abused by researchers or tinkerers rather than someone with wholly malicious intent.”
Amazon has rolled out patches for the vulnerabilities and users are urged to confirm their device is updated to firmware version 2.13.11 or later.
“Customer trust is important to us and we take the security of our devices seriously. Customers have received automatic security updates addressing these issues for impacted devices,” an Amazon spokesperson told Threatpost.
Meanwhile, the biggest thing consumers can do to protect themselves from these flaws is to make sure their devices are always updated to the latest versions, said researchers. “Due to the way the Blink cameras and sync modules connect to and communicate with the Blink cloud infrastructure, updates are generally automatic and strictly enforced,” they said.
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.