Researchers from cybersecurity firm VDOO have conducted a study on IoT devices and discovered seven vulnerabilities in cameras manufactured by Axis Communications. According to the vendor, nearly 400 models are affected by the issue and Axis has released security patches for each flaw.
An attacker can remotely take over a camera by knowing its IP address, exploiting the flaws it is possible to access and freeze the video stream, control every function of the camera (e.g. motion detection, direction) and also to alter the software.
“One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.” reads the analysis published by VDOO.
“Chaining three of the reported vulnerabilities together, allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.”
The experts published Technical details for each issue and related proof-of-concept (PoC) code.
The researchers demonstrated that chaining three vulnerabilities it is possible to hack Axis cameras by sending specially crafted requests as root (CVE-2018-10662) and bypassing authentication (CVE-2018-10661), then injecting arbitrary shell commands (CVE-2018-10660).
Below the attack sequence demonstrated by the researchers:
The remaining vulnerabilities discovered by VDOO can be exploited by unauthenticated attackers to obtain information from the memory o to trigger a DoS condition.
Axis published a security advisory that includes the complete list of all impacted cameras and the firmware version that address the vulnerabilities.
As part of the same study on the security of IoT devices, researchers at VDOO discovered several vulnerabilities in Foscam cameras.
(Security Affairs – Amazon Fire TV, ADB.miner)