Several critical vulnerabilities have been uncovered in some 400 Axis camera models. The flaws could allow hackers to take full control over the affected camera or entangle them in botnets. VDOO researchers unearthed the vulnerabilities that could be compromised via the IP address of the camera. As a result hackers could spy on any audio or video records.
More about the Vulnerabilities in Axis Cameras
The exact number of vulnerabilities is seven: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663, and CVE-2018-10664. According to the researchers, some of the vulnerabilities could be chained together in a single attack:
Chaining three of the reported vulnerabilities together allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.
Furthermore, an attacker who obtained root control over the vulnerable cameras could also influence the way the cameras work by accessing and freezing their video stream. They could also listen to audio, control the camera’s movement, and include the camera in a botnet. The camera’s software could also be tampered with. The camera could also be deployed as an entry point for DDoS attacks.
In a conversation with ZDNet, VDOO CTO Asaf Karas said that root-access flaws are so threatening because the attacker “could practically use any feature of the camera and beyond”. “With the right resources, if someone knows of such vulnerabilities for a long time before they are patched — he or she could definitely violate individual’s privacy and organization’s security in a significant manner; and also could attack other targets using many of the affected cameras,” he added.
Fortunately, the researchers have reported that the several vulnerabilities haven’t been exploited in the wild, as least to the best of their knowledge. In other words, the flaws haven’t led to any concrete privacy violation or another security threat.
The vendor, Axis, has been informed and updated firmware has been released for the affected products. This was done two months before the research went public. This is what Axis said:
Axis has already been notified of the vulnerabilities and have released updated firmware for all affected products two months before the research was published. Axis strongly recommends end users to update firmware for affected Axis products in a controlled manner. To cost efficiently deploy the upgraded firmware, Axis recommends using the tool Axis Device Manager, which will continuously monitor and notify of available firmware.