Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Critical Flaws in Abode Home Security Kit Allow Hackers to Hijack, Disable Cameras

Abode Systems has resolved multiple severe vulnerabilities in its home security kit, including critical issues that could allow attackers to execute commands with root privileges.

Abode Systems has resolved multiple severe vulnerabilities in its home security kit, including critical issues that could allow attackers to execute commands with root privileges.

An American company, Abode Systems sells smart DIY home security systems and cameras that include motion sensors to detect intrusions or unwanted movements. Users can arm or disarm the system using an app or a keyfob.

Users can control the system via a website or an application on their mobile devices, and can integrate it with Amazon Alexa, Apple Homekit, and Google Home.

Cisco Talos researchers discovered that the Iota all-in-one security kit is affected by vulnerabilities that could allow attackers to change user passwords, change device configuration, inject arbitrary code, and even completely shut down the system. An attacker could remotely take control of targeted cameras or disable them.

“The devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure and a denial of service. An attacker could send a malicious XML payload to trigger these vulnerabilities,” Cisco explains.

A total of 14 critical-severity (CVSS score of 10) OS command injection vulnerabilities have been identified in the home security kit. Cisco’s security researchers warn that they could be exploited to execute arbitrary system commands with root privileges.

Three other critical flaws in Abode Systems’ kit are described as format string injection, authentication bypass, and integer overflow bugs.

Nine of the security defects are described as high-severity format string injection vulnerabilities that could be exploited using specially-crafted HTTP requests, XCMDs, or configuration values.

Other high-severity vulnerabilities identified in the product include an authentication bypass, two command injection flaws, and a double-free bug.

Cisco reported these vulnerabilities to Abode Systems in July and the vendor has released software updates that patch all of them. Users are advised to update to Iota 6.9X or 6.9Z as soon as possible.

Related: Android Security Updates Patch Critical Vulnerabilities

Related: SMBs Exposed to Attacks by Critical Vulnerability in DrayTek Vigor Routers

Related: Critical U-Boot Vulnerability Allows Rooting of Embedded Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.