390 Axis IP Cameras exist flaws that allow attacker to take control

ManageEngine strelka

The VDOO security research team published on Monday that over the past few months, they have been conducting large-scale security research on leading IoT products. In most cases, research is undertaken with equipment suppliers to improve efficiency and transparency.

As part of this study, researchers from the VDOO team discovered zero-day vulnerabilities in the equipment of several vendors. According to responsible disclosure best practices, these vulnerabilities have been disclosed to vendors and will gradually share vulnerabilities details after the disclosure period ends.

Axis Communications is one of the vendors that the VDOO team finds vulnerable devices. They found a series of essential vulnerabilities in the Axis IP camera. These vulnerabilities enable an attacker with a camera IP address to remotely take over the camera (via a local area network or the Internet). Allegedly, VDOO disclosed a total of seven vulnerabilities to the Axis security team.

The IDs of the vulnerabilities on Mitre are CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663, and CVE-2018-10664.

Combining the three reported vulnerabilities allows unauthenticated, remote attackers to gain access to the camera’s login page over the network (without any prior access or camera credentials), giving full control over the affected camera. An attacker with this control can do the following:

  • Access video stream from a webcam
  • Freeze camera video stream
  • Control the camera – Turn the lens to the desired position, turn on/off motion detection
  • Add a camera to the botnet
  • Change camera software
  • Use the camera as a penetration point for the network (perform lateral movements)
  • Invalid camera
  • Use cameras to perform other malicious tasks (such as DDoS attacks, Bitcoin mining, etc.)

Vulnerable products include 390 different models of Axis IP cameras. The full list of affected products, you can see here.

The VDOO team pointed out that these vulnerabilities have not been exploited yet, so they have not caused any specific privacy violations or security threats to Axis users. However, it strongly recommends that Axis users who do not have camera firmware updates perform this operation immediately or otherwise reduce the risk.

Also, the VDOO team also publishes articles that detail how to check if your device is vulnerable, how to determine if your device has damaged if it has breached, what measures have taken and how to upgrade the device firmware.