Researchers have found no less than seven vulnerabilities in a popular Amazon-owned security camera that, if exploited, would turn the device into a playground for malicious hackers.
An attacker who took advantage of one or more of the flaws found by cybersecurity company Tenable could obtain audio or video from the camera or conscript the device into a botnet to conduct denial-of-service attacks, Tenable said.
The camera in question is the Blink XT2, a popular consumer device that comes with cloud storage. By picking apart the camera’s application programming interface, the researchers figured out how that system controls the device, and how it can be abused.
The vulnerabilities, for which Amazon has issued fixes, vary in severity and the likelihood that they will be exploited. One flaw requires physical access to the camera to exploit. Regardless, the amount of bugs this one study has uncovered points to a larger issue in internet-of-things (IoT) devices.
“From video-enabled doorbells to internet-connected baby monitors, consumers need to be aware of the tradeoffs and risks these devices introduce if they choose to welcome them into their homes,” James Sebree, principle research engineer at Tenable, wrote in a blog post.
Tenable CTO Renaud Deraison said connected devices like home security cameras are of perennial interest to cybercriminals, adding that manufacturers of internet-of-things (IoT) devices have an “obligation” to build security into their products.
But many IoT vendors simply haven’t done that, and U.S. officials have pointed to a lack of cost incentives as the reason why. Market forces are at play that no amount of patching will address, a 2018 report from the department of Homeland Security and Commerce warned.