Over 400 Models of Axis Communications Cameras Susceptible to Distant Attacks

June 21, 2018


Over 400 versions of Axis Communications’ safety cameras have weaknesses that might be abused by malicious actors to interrupt and see camera footage, take complete control of the cameras, or deactivate them completely.

The safety cameras are used by several companies, including industrial businesses, banks, and guesthouses. The weaknesses were found by the cybersecurity firm VDOO as part of its examination into the safety of IoT appliances.

If an attacker was capable to find the IP address of the cameras, 3 of the weaknesses might be abused together to distantly hack and gain access to the cameras – namely send requests as root (CVE-2018-10662), bypass authentication (CVE-2018-10661), and insert shell commands (CVE-2018-10660).

Altogether, seven weaknesses were found. The remaining four might be abused to disable or crash the cameras and get data from the memory.

A lot of businesses have their safety cameras directly interfacing with the Internet, which would make an attack trouble-free to succeed. An attacker would just be needed to find the appliances using a plain Internet scanner, after which an attack might be carried out very swiftly.

Cameras with an open port would need that port to be known before an attack might be carried out, even though that would not pose too much of a trouble for an experienced hacker. Even if the cameras are safeguarded at the back of a firewall, and insider might easily pull off an attack.

VDOO has issued proof-of-concept code and an explanation of the attack and has listed the susceptible models and firmware types. No proof has been found to indicate the faults are presently being abused in the wild, however, users must take action quickly to make sure the weaknesses are not abused.

VDOO is instructing all users of susceptible Axis Communications safety cameras to upgrade to the latest type of firmware to rectify the faults. In instances where there is no obtainable firmware update, users must position the cameras at the back of firewalls and block port 80 and 443 and avoid the cameras from starting any outbound links.

This is not the first time that the Axis Communications’ cameras have been found to be susceptible. A third-party component was found to be susceptible by Senrio, which similarly let distant code implementation if the fault was abused.

VDOO also lately found some Foscam cameras had weaknesses that might easily be abused distantly. Those weaknesses have now been repaired.

VDOO informs that its latest research has emphasized many areas where camera producers are making it too easy for weaknesses to be found and exploited, such as the lack of privilege separation, lack of correct input cleansing, lack of binary firmware encryption and unnecessary use of shell scripts.