More than 400 models of Axis Communications’ security cameras contain vulnerabilities that could be exploited by malicious actors to intercept and view camera footage, take full control of the cameras, or disable them entirely.
The security cameras are used by many organizations, including industrial firms, banks and hotels. The vulnerabilities were discovered by the cybersecurity company VDOO as part of its investigation into the security of IoT devices.
If an attacker was able to find the IP address of the cameras, three of the vulnerabilities could be exploited together to remotely hack and gain access to the cameras – namely bypass authentication (CVE-2018-10661), send requests as root (CVE-2018-10662), and inject shell commands (CVE-2018-10660).
In total, seven vulnerabilities were discovered. The remaining four could be exploited to crash or disable the cameras and obtain data from the memory.
Many companies have their security cameras directly interfacing with the Internet, which would make an attack easy to pull off. An attacker would only be required to find the devices using a simple Internet scanner, after which an attack could be conducted extremely quickly.
Cameras with an open port would require that port to be identified before an attack could be conducted, although that would not pose too much of a problem for a skilled hacker. Even if the cameras are protected behind a firewall, and insider could easily pull off an attack.
VDOO has published proof-of-concept code and a description of the attack and has listed the vulnerable models and firmware versions. No evidence has been uncovered to suggest the flaws are currently being exploited in the wild, but users should take action promptly to ensure the vulnerabilities are not exploited.
VDOO is advising all users of vulnerable Axis Communications security cameras to upgrade to the latest version of firmware to correct the flaws. In cases where there is no available firmware update, users should locate the cameras behind firewalls and block port 80 and 443 and prevent the cameras from initiating any outbound connections.
This is not the first time that the Axis Communications’ cameras have been found to be vulnerable. A third-party component was discovered to be vulnerable by Senrio, which similarly allowed remote code execution if the flaw was exploited.
VDOO also recently discovered certain Foscam cameras had vulnerabilities that could easily be exploited remotely. Those vulnerabilities have now been patched.
VDOO reports that its latest research has highlighted several areas where camera manufacturers are making it too easy for vulnerabilities to be discovered an exploited, such as the lack of privilege separation, lack of proper input sanitization, lack of binary firmware encryption and excessive use of shell scripts.
The vulnerabilities, POC attack, and mitigations can be found on this link.