Abode Systems has resolved multiple severe vulnerabilities in its home security kit, including critical issues that could allow attackers to execute commands with root privileges.
An American company, Abode Systems sells smart DIY home security systems and cameras that include motion sensors to detect intrusions or unwanted movements. Users can arm or disarm the system using an app or a keyfob.
Users can control the system via a website or an application on their mobile devices, and can integrate it with Amazon Alexa, Apple Homekit, and Google Home.
Cisco Talos researchers discovered that the Iota all-in-one security kit is affected by vulnerabilities that could allow attackers to change user passwords, change device configuration, inject arbitrary code, and even completely shut down the system. An attacker could remotely take control of targeted cameras or disable them.
“The devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure and a denial of service. An attacker could send a malicious XML payload to trigger these vulnerabilities,” Cisco explains.
A total of 14 critical-severity (CVSS score of 10) OS command injection vulnerabilities have been identified in the home security kit. Cisco’s security researchers warn that they could be exploited to execute arbitrary system commands with root privileges.
Three other critical flaws in Abode Systems’ kit are described as format string injection, authentication bypass, and integer overflow bugs.
Nine of the security defects are described as high-severity format string injection vulnerabilities that could be exploited using specially-crafted HTTP requests, XCMDs, or configuration values.
Other high-severity vulnerabilities identified in the product include an authentication bypass, two command injection flaws, and a double-free bug.
Cisco reported these vulnerabilities to Abode Systems in July and the vendor has released software updates that patch all of them. Users are advised to update to Iota 6.9X or 6.9Z as soon as possible.