registry  /  iobroker.blink  /  0.0.29

iobroker.blink@0.0.29

adapter for amazon blink system and ioBroker

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malware or exfiltration was found. The notable risk is runtime creation of an enabled ioBroker JavaScript helper script that can run shell commands and start local HTTP/HLS services for package-aligned camera functionality.

Static reason
One or more suspicious static signals were detected.
Trigger
ioBroker adapter runtime onReady and user/live-view actions
Impact
Warn-level extension/persistence risk inside ioBroker; no evidence of credential theft or attacker-controlled remote code execution.
Mechanism
runtime ioBroker script creation plus Blink API polling, media download, and ffmpeg streaming
Attack narrative
At adapter startup, main.js reads lib/blink-video-url-server.json and installs an enabled ioBroker JavaScript script object. That script exposes local camera/video endpoints and can use exec to query ioBroker config and start package helper scripts. The behavior is broad and persistent within ioBroker, but source inspection shows it is tied to Blink camera streaming and local media serving rather than credential harvesting, external exfiltration, AI-agent control hijack, or install-time compromise.
Rationale
The package has real privileged runtime behavior, including auto-created ioBroker script code and child_process usage, so a warn is appropriate. The observed network and file activity is package-aligned Blink camera login, polling, snapshot/video storage, and local streaming, with no concrete malicious endpoint or payload.
Evidence
package.jsonmain.jslib/blink-api.jslib/blink-video-url-server.jsonlib/immi-live-hls.jslib/mjpeg-server.jslib/blink-liveview-iobroker.js/tmp/blink_session_cache/tmp/blink_debug.log/tmp/blink_liveview_session.json/tmp/blink_hlsconfigured snapshotDir
Network endpoints5
api.oauth.blink.comrest-prod.immedia-semi.comdynamic https://${session.apiHost}local http://<host>:8085local http://<host>:8099

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • main.js creates/updates enabled ioBroker javascript object script.js.common.blink-video-url-server at runtime from lib/blink-video-url-server.json.
  • lib/blink-video-url-server.json embedded script uses exec fallback to run iobroker object get and launches package helper scripts for LiveView/HLS.
  • lib/immi-live-hls.js and main.js spawn ffmpeg for camera live/HLS streams.
  • lib/blink-api.js caches Blink sessions under /tmp/blink_session_cache and writes downloaded media/snapshots to configured paths.
Evidence against
  • package.json has no npm lifecycle hooks or bin entrypoint; main is the ioBroker adapter main.js.
  • Network activity is aligned with Blink camera functionality: api.oauth.blink.com, rest-prod.immedia-semi.com, and session apiHost.
  • Debug logging redacts password, PIN, auth_token, access_token, refresh_token, and token fields.
  • Local HTTP/MJPEG/HLS servers serve camera streams/files with path checks and token protection for MJPEG.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 232 KB of source, external domains: 127.0.0.1, api.oauth.blink.com

Source & flagged code

4 flagged · loading source
lib/blink-video-url-server.jsonView file
8patternName = generic_password severity = medium line = 8 matchedText = "source"...\n",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/blink-video-url-server.jsonView on unpkg · L8
main.jsView file
1694async startHlsProxy(devId, live) { L1695: const { spawn } = require('node:child_process'); L1696: await this.startHlsServer();
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L1694
5L6: const utils = require('@iobroker/adapter-core'); L7: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

main.jsView on unpkg · L5
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path'); L10: const tls = require('node:tls'); L11: const http = require('node:http'); L12: const { spawn, spawnSync } = require('node:child_process'); L13: L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json'; L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9

Findings

2 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings