Do you have a home security system that incorporates Amazon’s Blink XT2 cameras?

If so, be advised that researchers at Tenable Security recently identified several serious security flaws that would allow an attacker to take control of the cameras remotely and use them to spy on you and your family.

The security issues are centered in the cameras’ Sync Module. It acts as a bridge between the camera itself and the cloud and allows users to divide their camera suite into discrete zones that cover different parts of the home. It also allows them to activate the cameras located in various zones at different times throughout the day and night.

Unfortunately, these vulnerabilities allow an attacker to selectively activate or deactivate cameras and view archived footage.

The researchers had this to say about the issue:

“When checking for updates, the device first obtains an update helper script (sm_update) from the web, and then immediately runs the content of this script with zero sanitation.  If an attacker is able to MitM this request (either directly or indirectly – through some sort of DNS poisoning or hijacking) they can modify the contents of this response to suit their own needs or desires.

The most obvious attack scenario for this flaw would be some sort of insider threat – babysitters, house or pet sitters, Airbnb guests, or anyone else with somewhat privileged access to your home.”

The good news is that Amazon has moved quickly to address the issue and has already issued a firmware update.  All you need to do at this point is check your Blink XT2 cameras to be sure they’re running firmware version 2.13.11 or later.

However, there’s a caveat. If your camera has already been compromised, it won’t automatically receive the firmware update. In that case, you’ll likely need to hire an expert to manually force the update.  Be sure to check the firmware version of your cameras as soon as possible.  You don’t want your security system to be used against you.