"Critical Flaws in Abode Home Security Kit Allow Hackers to Hijack, Disable Cameras"
Abode Systems has resolved multiple severe vulnerabilities recently in its home security kit, including critical issues that could allow attackers to execute commands with root privileges. Abode Systems sells smart DIY home security systems and cameras that include motion sensors to detect intrusions or unwanted movements. Users can arm or disarm the system using an app or a keyfob. Users can control the system via a website or an application on their mobile devices and can integrate it with Amazon Alexa, Apple Homekit, and Google Home. Recently Cisco Talos researchers discovered that the Iota all-in-one security kit is affected by vulnerabilities that could allow attackers to change user passwords, change device configuration, inject arbitrary code, and even completely shut down the system. The researchers noted that an attacker could remotely take control of targeted cameras or disable them. The researchers stated that the devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure, and a denial of service. An attacker could send a malicious XML payload to trigger these vulnerabilities. The researchers discovered a total of 14 critical-severity (CVSS score of 10) OS command injection vulnerabilities in the home security kit. Cisco’s security researchers warn that they could be exploited to execute arbitrary system commands with root privileges. Three other critical flaws in Abode Systems’ kit are described as format string injection, authentication bypass, and integer overflow bugs. The researchers noted that nine of the security defects are described as high-severity format string injection vulnerabilities that could be exploited using specially-crafted HTTP requests, XCMDs, or configuration values. Other high-severity vulnerabilities identified in the product include an authentication bypass, two command injection flaws, and a double-free bug. The researchers reported these vulnerabilities to Abode Systems in July, and the vendor has released software updates that patch all of them. Users are advised to update to Iota 6.9X or 6.9Z as soon as possible.