Recently, I discovered a glaring vulnerability within the Blink Camera System Sync Module. I have not had a good experience with their team, and I will go over this later in this page.
CVE ID: CVE-2018-20161
- A computer running linux (Kali Linux preferably)
- Nmap, and python-nmap
- Scapy
- termcolor
- Python 3
The following is a both Technical and Layman's Analysis of the vulnerability
Below is a simplified explanation of the vulnerability and its implications. A more detailed report is below.
If the sync module kicked off the wifi network, live video is no longer accessible from the blink app1. Clips triggered by the motion sensor are also not saved. This is a bigger deal than the live video, and is the most compromising for the system.
If a threat actor was able to deauth a Sync Module, he would be able to gain entry to a facility or home undetected and a video of him breaking in would not be recorded.
The following is a technical analysis of the vulnerability, including the CVSS score, and proof of concept source code that will discover sync modules on the wifi network and deauth them.
Like I said above, this is a Denial Of Service vulnerability within the Blink Sync Module. It is very simple, all you have to do is use any assortment of ways to deauth or kick the Sync Module off of the wifi network. You could also deauth the entire network without having to get the wifi password and join to get the same effect. The unfortunate thing is, Blink cannot just patch the vulnerability through a software patch. The only way I could see this being fixed would be requiring that the Sync Module is connected to the router or modem over ethernet and not wifi.
Through preliminary estimates, I found this vulnerability to have a medium criticality and a score a 7.0 out of 10. The link to the report can be found here.
My experience with Blink has been less than satisfactory. When I first discovered the vulnerability, it was more difficult than it should be to find their responsible disclosure webpage. On that site, they list the email [email protected] as who to contact if a vulnerability is discovered. I did this, and emailed the listed email. They responded by telling me that they were Sorry I was having this issue with my Sync Module.2 I was only truly able to report the vulnerability after two different hour long phone calls with tech support, in which I had to explain what I was trying to do each time. Even then, I did not receive any updates until today, when Blink tech support said that they were referring the ticket to engineering today almost three weeks after the initial report. Blinks responsible disclosure policy is a joke, and I can only hope that Amazon can at least make it a little better. For the sake of their customers who bought a product looking for peace of mind.
Thank you to @chrizator writing netattack, which was used for the deauth portions of this simple script!
1A screenshot of the app when the Sync Module is being deauthed can be found here.
2A screenshot of the email exchange can be found here.