June 21, 2018
More than 400 models of Axis Communications’ security cameras contain vulnerabilities that could be exploited by malicious actors to intercept and view camera footage, take full control of the cameras, or disable them entirely.
The safety cameras are used by several companies, including industrial businesses, banks, and guesthouses. The weaknesses were found by the cybersecurity firm VDOO as part of its examination into the safety of IoT appliances.
If an attacker was able to find the IP address of the cameras, three of the vulnerabilities could be exploited together to remotely hack and gain access to the cameras – namely bypass authentication (CVE-2018-10661), send requests as root (CVE-2018-10662) and inject shell commands (CVE-2018-10660).
Altogether, seven weaknesses were found. The remaining four might be abused to disable or crash the cameras and get data from the memory.
Many companies have their security cameras directly interfacing with the Internet, which would make an attack easy to pull off. An attacker would only be required to find the devices using a simple Internet scanner, after which an attack could be conducted extremely quickly.
Cameras with an open port would need that port to be known before an attack might be carried out, even though that would not pose too much of a trouble for an experienced hacker. Even if the cameras are safeguarded at the back of a firewall, and insider might easily pull off an attack.
VDOO has published proof-of-concept code and a description of the attack and has listed the vulnerable models and firmware versions. No evidence has been uncovered to suggest the flaws are currently being exploited in the wild, but users should take action promptly to ensure the vulnerabilities are not exploited.
VDOO is instructing all users of susceptible Axis Communications safety cameras to upgrade to the latest type of firmware to rectify the faults. In instances where there is no obtainable firmware update, users must position the cameras at the back of firewalls and block port 80 and 443 and avoid the cameras from starting any outbound links.
This is not the first time that the Axis Communications’ cameras have been found to be vulnerable. A third-party component was discovered to be vulnerable by Senrio, which similarly allowed remote code execution if the flaw was exploited.
VDOO also lately found some Foscam cameras had weaknesses that might easily be abused distantly. Those weaknesses have now been repaired.
VDOO reports that its latest research has highlighted several areas where camera manufacturers are making it too easy for vulnerabilities to be discovered an exploited, such as the lack of privilege separation, lack of proper input sanitization, lack of binary firmware encryption and excessive use of shell scripts.