registry  /  iobroker.blink  /  0.0.21

iobroker.blink@0.0.21

adapter for amazon blink system and ioBroker

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malware was found, but runtime setup creates an enabled ioBroker JavaScript helper that exposes Blink video/live-view functionality over a local HTTP server. The risk is an unauthenticated auxiliary server plus shell/process use in a package-aligned feature.

Static reason
One or more suspicious static signals were detected.
Trigger
ioBroker adapter runtime onReady, then optional /live/start or grid use
Impact
Potential local-network exposure of Blink camera media/live controls; no confirmed external exfiltration endpoint.
Mechanism
auto-installed enabled ioBroker script with local HTTP video server and LiveView helpers
Attack narrative
At runtime the adapter logs into Blink, polls/downloads camera media, and installs an enabled ioBroker JavaScript helper that starts a local web grid and LiveView server. That helper can read Blink adapter config, use an ioBroker CLI fallback, spawn helper scripts/ffmpeg, and serve stored video/HLS files. This is aligned with the adapter's camera streaming feature, but the automatic enabled helper and unauthenticated HTTP surface make it a real warning-level risk rather than a clean package.
Rationale
Source inspection did not show concrete malicious exfiltration or install-time execution, and the suspicious primitives are mostly Blink/ioBroker camera functionality. However, automatically creating an enabled helper script with unauthenticated HTTP exposure and process execution is a dangerous runtime capability that warrants warning.
Evidence
package.jsonmain.jslib/blink-api.jslib/blink-video-url-server.jsonlib/immi-live-hls.jslib/blink-liveview-iobroker.jsio-package.json/tmp/blink_debug.log/tmp/blink_session_cache/*.json/tmp/blink_liveview_session.json/tmp/blink_hls/*/opt/iobroker/iobroker-data/blink/*script.js.common.blink-video-url-server
Network endpoints5
api.oauth.blink.comrest-prod.immedia-semi.comimmis://<Blink session host>:443<host>:8085/gridcdnjs.cloudflare.com/ajax/libs/hls.js/1.5.20/hls.min.js

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • main.js creates/updates script.js.common.blink-video-url-server from lib/blink-video-url-server.json on adapter ready.
  • lib/blink-video-url-server.json template is enabled:true and starts an unauthenticated HTTP server on port 8085.
  • The installed script can read adapter credentials via getObject/CLI fallback and can exec iobroker object get.
  • LiveView paths spawn package helpers/ffmpeg and serve files from /opt/iobroker/iobroker-data/blink and /tmp/blink_hls.
  • lib/immi-live-hls.js spawns ffmpeg and opens an HLS HTTP server; TLS target comes from Blink session data.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • Network use in lib/blink-api.js targets Blink/OAuth hosts api.oauth.blink.com and rest-prod.immedia-semi.com for the advertised adapter purpose.
  • Credentials and PIN are ioBroker adapter config fields, with password/pin marked encryptedNative/protectedNative in io-package.json.
  • Debug logging attempts to redact password, token, PIN, authorization and cookie fields.
  • No code found harvesting unrelated env/files, persistence outside ioBroker objects, dependency confusion, or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 233 KB of source, external domains: 127.0.0.1, api.oauth.blink.com

Source & flagged code

4 flagged · loading source
lib/blink-video-url-server.jsonView file
8patternName = generic_password severity = medium line = 8 matchedText = "source"...\n",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/blink-video-url-server.jsonView on unpkg · L8
main.jsView file
1694async startHlsProxy(devId, live) { L1695: const { spawn } = require('node:child_process'); L1696: await this.startHlsServer();
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L1694
5L6: const utils = require('@iobroker/adapter-core'); L7: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

main.jsView on unpkg · L5
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path'); L10: const tls = require('node:tls'); L11: const http = require('node:http'); L12: const { spawn, spawnSync } = require('node:child_process'); L13: L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json'; L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9

Findings

2 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings