Nearly 400 Axis camera models found riddled with bugs that could give attackers full control
Security researchers have discovered several critical vulnerabilities in nearly 400 Axis camera models that could allow hackers to take full control of them or ensnare them into botnets. Researchers at security firm VDOO discovered the vulnerabilities within the internet-connected cameras could allow attackers to take over devices using just the IP address and use them to access its video stream, control the camera's motion and or render it useless altogether.
VDOO has disclosed seven vulnerabilities to Axis - CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663, and CVE-2018-10664.
"Chaining three of the reported vulnerabilities together allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera," VDOO researchers write in a blog post.
An attacker with root control over the vulnerable devices could potentially access and freeze the cameras’ video stream, listen to audio, control the camera’s movement, add the camera to a botnet or alter the camera’s software. The camera could also be used as an entry point to leverage wider attacks within a targeted network or used to leverage powerful DDoS attacks.
"The reason that vulnerabilities that enable root access are so threatening, is that the attacker can practically use any feature of the camera and beyond," VDOO founder and CTO Asaf Karas told ZDNet. "With the right resources, if someone knows of such vulnerabilities for a long time before they are patched -- he or she could definitely violate individual's privacy and organization's security in a significant manner; and also could attack other targets using many of the affected cameras".
However, VDOO researchers said these vulnerabilities were not likely exploited in their field “to the best of the knowledge” and “did not lead to any concrete privacy violation or security threat.”
Axis has already been notified of the vulnerabilities and have released updated firmware for all affected products two months before the research was published.
"Axis strongly recommends end users to update firmware for affected Axis products in a controlled manner,” the company said. “To cost efficiently deploy the upgraded firmware, Axis recommends using the tool Axis Device Manager, which will continuously monitor and notify of available firmware.”