Another Amazon-owned camera has a multitude of flaws

Tenable researchers have found no less than seven vulnerabilities in a popular Amazon-owned security camera.
(Courtesy of Blink)

Researchers have found no less than seven vulnerabilities in a popular Amazon-owned security camera that, if exploited, would turn the device into a playground for malicious hackers.

An attacker who took advantage of one or more of the flaws found by cybersecurity company Tenable could obtain audio or video from the camera or conscript the device into a botnet to conduct denial-of-service attacks, Tenable said.

The camera in question is the Blink XT2, a popular consumer device that comes with cloud storage. By picking apart the camera’s application programming interface, the researchers figured out how that system controls the device, and how it can be abused.

The vulnerabilities, for which Amazon has issued fixes, vary in severity and the likelihood that they will be exploited. One flaw requires physical access to the camera to exploit. Regardless, the amount of bugs this one study has uncovered points to a larger issue in internet-of-things (IoT) devices.


“From video-enabled doorbells to internet-connected baby monitors, consumers need to be aware of the tradeoffs and risks these devices introduce if they choose to welcome them into their homes,” James Sebree, principle research engineer at Tenable, wrote in a blog post.

Tenable CTO Renaud Deraison said connected devices like home security cameras are of perennial interest to cybercriminals, adding that manufacturers of internet-of-things (IoT) devices have an “obligation” to build security into their products.

But many IoT vendors simply haven’t done that, and U.S. officials have pointed to a lack of cost incentives as the reason why. Market forces are at play that no amount of patching will address, a 2018 report from the department of Homeland Security and Commerce warned.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts