A vulnerability in Abode’s all-in-one home security system could allow malicious actors to remotely shut down customers’ security cameras.
Abode’s Iota All-In-One Security Kit is a DIY home security system that includes a main surveillance camera, motion sensors that can be placed on windows and doors, and a hub that can alert users to unwanted movement in their homes. It also integrates with third-party smart hubs like Google Home, Amazon Alexa, and Apple HomeKit.
Researchers at Cisco’s Talos cybersecurity unit this week uncovered multiple vulnerabilities in Abode’s security system, including an authentication bypass vulnerability rated Critical that could allow anyone to remotely trigger multiple sensitive device functions without requiring a password by breaking the authentication mechanism of the devices is bypassed.
The bug, which is tracked as CVE-2022-27805 and has a severity rating of 9.8 out of 10, resides in the UDP service — a communications protocol used to establish low-latency connections between applications on the Internet — which is responsible for handling remote configuration changes.
As explained by Matt Wiseman, a senior security researcher at Cisco Talos, the lack of authorization checks means an attacker can remotely execute commands through Abode’s mobile and web applications, such as: B. Rebooting the device, changing the administrator password, and completely disarming the security system.
Wiseman told TechCrunch that the affected device would generally be deployed on a local area network and would not be directly accessible from the internet. “The more likely attack will come from someone on the local network or if someone has access to the device through Abode’s network – for example, if they have the username and password for the mobile application.”
“However, it could be used in a situation where it’s directly accessible from the Internet, or where someone is specifically routing traffic to certain services,” Wiseman added.
Talos disclosed several other vulnerabilities in Abode’s security system on Thursday. These include multiple 10-rated vulnerabilities that could be exploited by sending a series of malicious payloads to execute arbitrary system commands with the highest privileges, and a second authentication bypass vulnerability that could allow an attacker to access multiple sensitive functions on the device, including triggering a factory reset, simply by setting a specific HTTP header to a hardcoded value.
Cisco first disclosed the vulnerability to Abode in July and publicly disclosed the bugs this week after patches were deployed. Users are advised to update their Iota All-In-One Security Kit to the latest version as soon as possible.
In a statement given to TechCrunch, Abode Founder and CEO Chris Carney said, “As a security-focused company, we worked promptly to fix, address, and patch their findings. This work has already been done, completed and released as an update. Additionally, there have been no reports from Abode customers related to these findings.” Carney confirmed that Abode worked with Talos to resolve the security issues.
News of flaws in Abode’s internet-enabled home security system comes after the US government this week gave more details about its plans to launch a cybersecurity labeling program for consumer IoT devices to better protect Americans from “significant national security risks.” to protect. The initiative will be launched next year for the “highest risk” devices – including home security cameras.
