A bug in Abode’s home security system could let hackers remotely switch off cameras • TechCrunch

A vulnerability in Abode’s integrated home security system could allow malicious actors to remotely close clients’ security cameras.

The Iota All-In-One Security Kit from Abode is a DIY home security system that includes a main security camera, motion sensors that can attach to windows and doors, and a hub that can alert users of unwanted movement in their homes. It also integrates with third-party smart hubs such as Google HomeAnd the Amazon Alexa And the Apple HomeKit.

Researchers at Cisco’s Talos Cyber ​​Security Unit this week a statement Several vulnerabilities in Abode’s security system, including a critical authentication bypass flaw that could allow anyone to remotely run multiple sensitive device functions without requiring a password by bypassing the hardware’s authentication mechanism.

bug tracker CVE-2022-27805 With a vulnerability rating of 9.8 out of 10, it is in the UDP service – a communications protocol used to establish low-latency connections between applications on the Internet – which is responsible for handling remote configuration changes.

As Matt Wiseman, a senior security researcher at Cisco Talos explained, the lack of authorization checks means an attacker can execute commands remotely through Abode’s mobile and web applications, such as rebooting the device, changing the administrator password, and completely disarming the security system. .

Wiseman told TechCrunch that in general, the affected device will be deployed to a local network and will not be available directly over the Internet. “The attack is most likely from someone on the local network or if someone has access to the device through the Abode network – for example, if they have the username and password for the mobile app.”

“However, they can be deployed in a state that can be accessed directly online or where someone is specifically directing traffic to certain services,” Wiseman added.

On Thursday, Talos revealed several other vulnerabilities in Abode’s security system. This includes several vulnerabilities rated 10 that can be exploited by sending a series of malicious payloads to execute arbitrary system commands with the highest privileges, a second authentication bypass bug that could allow an attacker to gain access to many sensitive functions on the device, including performing a factory reset, Simply by setting a specific HTTP header to an encrypted value.

Cisco initially disclosed the Abode vulnerability in July and publicly disclosed the flaws this week after the patches became available. Users are advised to update Iota All-In-One Security Kit to the latest version as soon as possible.

In a statement provided to TechCrunch, Chris Carney, founder and CEO of Abode, said: “As a security-first company, we immediately worked to fix, address, and correct their findings. This work was already done, completed, and pushed as a customer update. Additionally, they weren’t There are reports from Abode customers regarding these findings.” Carney confirmed that Abode worked with Talos to resolve security issues.

News of flaws in Abode’s connected home security system comes after the US government this week shared more details about its plans to launch Cybersecurity Labeling Software for Consumer IoT Devices To better protect Americans from “significant national security risks.” The initiative will be launched next year for “more dangerous” devices – including home security cameras.