Smart home cybersecurity news roundup [December 2019 edition]
The holidays are a notorious time to buy the latest tech. With an expected $97 billion spent on tech gifts this holiday season, staying up-to-date on the latest smart home cybersecurity news stories has become even more important. The stories that caught our attention this month were on the Blink camera and Ruckus router vulnerabilities.
Blink camera vulnerabilities risk device and user data compromise
On December 5, 2019, vulnerability research organization Tenable released a security advisory for Amazon-owned Blink. According to Tenable researchers, Blink XT2 home security cameras were found with vulnerabilities that could ultimately render the devices fully operable by an attacker and leak user data.
"Tenable Inc, which discovered the issues, said seven severe vulnerabilities in Blink’s XT2 camera systems could have given attackers full control over the device and allow them to view the camera footage remotely." https://t.co/fjBxEUcxHd via @Reuters— Tenable (@TenableSecurity) December 10, 2019
The disclosure of these vulnerabilities comes at an interesting time as, just last week, Ring (another Amazon-owned, home security camera company) made headlines for facing a federal lawsuit in regards to its security measures. In December, there were several accounts of Ring devices being compromised— see the story of a Mississippi family's hacked Ring device.
In the case of Blink, there have not been any public accounts of device compromises. However, these vulnerabilities disclosed by Tenable are a good reminder that any connected device is susceptible to hacking.
According to Tenable's disclosure timeline, Amazon had begun rolling out security patches for Blink XT2 home security cameras on December 1, 2019. A week later, the security flaws were said to have been rectified through a series of automatic security updates.
As such, Tenable advises impacted users to ensure their devices are updated with the latest software versions. Another preventative measure we might add is ensuring your Blink account has a strong and unique password with two-factor authentication enabled. More times than not, a vector for these attacks is weak user account credentials— recall the Nest account hacks from earlier this year.
Ruckus router vulnerabilities allow attackers to gain "root" privileges
On December 24, 2019, ARRIS company Ruckus Networks (ACQ: CommScope) released a security advisory detailing several vulnerabilities found in a number of Ruckus wireless routers, particularly those on the ZoneDirector and Unleashed product lines.
Although Ruckus has acknowledged and responded quickly to these issues first reported by Gal Zror of Aleph Research (see a live talk by Zror on these issues below), the severity of these vulnerabilities should not be taken lightly.
As described in the video, these vulnerabilities allow for unauthenticated remote code execution that ultimately gives an attacker root privileges, aka full control, of the router. This is nearly the same level of access that the Mirai botnet used to temporarily disable a key piece of the internet back in October of 2016.
Another issue here is that these devices are more typically found in small businesses rather than just homes— many of which are likely not going to have a regular IT staff on hand to ensure security patches have been successfully carried out for impacted devices.
Carrying out a quick scan on Shodan, a search engine for internet-connected devices, I found that there are roughly 6800 impacted devices online— the majority of which are located in Taiwan, the US, and South Korea (in that order). As such, we don't have to worry about this scaling into another Mirai botnet as there aren't enough of these devices online.
What we should be concerned about however is that a lot of these vulnerabilities are from well-known attack vectors that vendors should be protecting against and testing for by default.
Past smart home cybersecurity news roundup editions:
- June 2019: Linksys Smart WiFi router vulnerability and Android pre-installed backdoor
- July 2019: Website drive-by attacks on home routers
- August 2019: VxWorks and Google Nest Cam IQ Indoor vulnerabilities
- September 2019: SMS-based attacks and major router vulnerabilities
- October 2019: What is Gafgyt malware?
- November 2019: What is Light Commands?