Blink's XT2 security camera can be hacked: What to do now

(Image credit: Blink)

At least one model of Blink security cameras has several serious security flaws that need to be fixed by a firmware update. 

The flaws could let hackers take complete control of the cameras and let them view camera footage, listen to live audio feeds or even use the cameras to attack other devices.

Researchers from security firm Tenable found seven different vulnerabilities in the Blink XT2, the most recent model from the home-security-camera company that was bought by Amazon two years ago.

Like many smart-home and Internet of Things (IoT) devices, the Blink XT2 can be hacked into if you get physical access, and also during the initial Wi-Fi setup process. As Tenable admits in its report, neither of these is "a major concern for everyday consumers" because the windows of opportunity for attackers are very small.

More seriously, you can also hack into the Blink XT2 after it's set up because it reaches out to web servers when checking for firmware updates and network information. The problem is that it accepts any kind of server response without verifying its source, leaving the device open to a "man in the middle" network-based attack. 

To make sure your Blink XT2 security camera is protected from these threats, make sure its firmware is updated to version 2.13.11. The firmware version should be indicated in the setting part of the Blink Home Monitor companion mobile app. 

If you're not sure about the firmware version, simply power-cycle the camera by removing and then replacing the batteries. The camera should reach out to Blink's servers for the latest firmware when it powers back on.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.