registry  /  iobroker.blink  /  0.0.24

iobroker.blink@0.0.24

adapter for amazon blink system and ioBroker

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious payload was found, but the package auto-installs an enabled ioBroker JavaScript server with unauthenticated local HTTP controls for camera LiveView. This is a real exposed control surface rather than install-time malware.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Adapter runtime onReady installs the script; HTTP requests to the generated server can trigger LiveView helpers.
Impact
Local network users may be able to trigger camera LiveView/HLS activity if the ioBroker JavaScript server is reachable; no evidence of external exfiltration or destructive behavior.
Mechanism
auto-installed ioBroker script plus local HTTP server and ffmpeg LiveView bridge
Attack narrative
At runtime the adapter logs into Blink, polls camera state, downloads snapshots/videos, and can install a JavaScript-adapter web server for grid and LiveView controls. That server can call bundled helpers and ffmpeg to create HLS output. The behavior is package-aligned but creates an unauthenticated local control surface; inspection did not show non-Blink exfiltration, arbitrary remote payload loading, persistence outside ioBroker objects, or destructive actions.
Rationale
Source inspection supports a suspicious warning for an exposed auto-installed control surface, not a malicious block. The dangerous primitives are aligned with camera streaming and Blink API integration, with no concrete evidence of theft, malware persistence, or external attacker infrastructure.
Evidence
package.jsonmain.jslib/blink-api.jslib/blink-video-url-server.jsonlib/immi-live-hls.jslib/blink-liveview-iobroker.jslib/mjpeg-server.jsio-package.json/tmp/blink_debug.log/tmp/blink_session_cache/tmp/blink_liveview_session.json/tmp/blink_liveview_iobroker_debug.log/tmp/blink_hls/opt/iobroker/iobroker-data/blink
Network endpoints5
api.oauth.blink.comrest-prod.immedia-semi.comcdnjs.cloudflare.com/ajax/libs/hls.js/1.5.20/hls.min.js<host>:8085/grid<host>:8099/live.m3u8

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • main.js installs lib/blink-video-url-server.json as enabled ioBroker JavaScript object on adapter ready
  • lib/blink-video-url-server.json exposes unauthenticated local HTTP routes such as /live/start and /grid on port 8085
  • lib/blink-video-url-server.json uses ioBroker exec to run bundled LiveView/HLS helpers
  • lib/immi-live-hls.js spawns ffmpeg and deletes/recreates files under /tmp/blink_hls
  • lib/blink-liveview-iobroker.js reads Blink credentials from env or prompts and writes LiveView session JSON under /tmp
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts
  • Network traffic is Blink/ioBroker feature-aligned: OAuth, Blink REST API, IMMI LiveView, local stream servers
  • Secrets in debug paths are masked in lib/blink-api.js before logging
  • Child process usage is for ffmpeg/live video bridge and bundled helper scripts, not arbitrary downloaded payloads
  • No evidence of credential harvesting beyond configured Blink login or exfiltration to non-Blink endpoints
  • No prompt/reviewer manipulation or AI-agent control-surface writes found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 233 KB of source, external domains: 127.0.0.1, api.oauth.blink.com

Source & flagged code

5 flagged · loading source
lib/blink-video-url-server.jsonView file
8patternName = generic_password severity = medium line = 8 matchedText = "source"...\n",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/blink-video-url-server.jsonView on unpkg · L8
main.jsView file
1694async startHlsProxy(devId, live) { L1695: const { spawn } = require('node:child_process'); L1696: await this.startHlsServer();
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L1694
5L6: const utils = require('@iobroker/adapter-core'); L7: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

main.jsView on unpkg · L5
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path'); L10: const tls = require('node:tls'); L11: const http = require('node:http'); L12: const { spawn, spawnSync } = require('node:child_process'); L13: L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json'; L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9
lib/blink-api.jsView file
matchType = previous_version_dangerous_delta matchedPackage = iobroker.blink@0.0.23 matchedIdentity = npm:aW9icm9rZXIuYmxpbms:0.0.23 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/blink-api.jsView on unpkg

Findings

3 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
HighPrevious Version Dangerous Deltalib/blink-api.js
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings