CYBER NEWS

7 Vulnerabilities in 400 Axis Camera Models Unearthed (CVE-2018-10658)

IP Cameras image

Several critical vulnerabilities have been uncovered in some 400 Axis camera models. The flaws could allow hackers to take full control over the affected camera or entangle them in botnets. VDOO researchers unearthed the vulnerabilities that could be compromised via the IP address of the camera. As a result hackers could spy on any audio or video records.

More about the Vulnerabilities in Axis Cameras

The exact number of vulnerabilities is seven: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663, and CVE-2018-10664. According to the researchers, some of the vulnerabilities could be chained together in a single attack:

Chaining three of the reported vulnerabilities together allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.

Furthermore, an attacker who obtained root control over the vulnerable cameras could also influence the way the cameras work by accessing and freezing their video stream. They could also listen to audio, control the camera’s movement, and include the camera in a botnet. The camera’s software could also be tampered with. The camera could also be deployed as an entry point for DDoS attacks.

Related Story: Three Vulnerabilities Found in Foscam IP Cameras (CVE-2018-6830)

In a conversation with ZDNet, VDOO CTO Asaf Karas said that root-access flaws are so threatening because the attacker “could practically use any feature of the camera and beyond”. “With the right resources, if someone knows of such vulnerabilities for a long time before they are patched — he or she could definitely violate individual’s privacy and organization’s security in a significant manner; and also could attack other targets using many of the affected cameras,” he added.

Fortunately, the researchers have reported that the several vulnerabilities haven’t been exploited in the wild, as least to the best of their knowledge. In other words, the flaws haven’t led to any concrete privacy violation or another security threat.




The vendor, Axis, has been informed and updated firmware has been released for the affected products. This was done two months before the research went public. This is what Axis said:

Axis has already been notified of the vulnerabilities and have released updated firmware for all affected products two months before the research was published. Axis strongly recommends end users to update firmware for affected Axis products in a controlled manner. To cost efficiently deploy the upgraded firmware, Axis recommends using the tool Axis Device Manager, which will continuously monitor and notify of available firmware.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...