Approximately 400 Axis Communications security cameras are affected by several vulnerabilities, including critical failures that can be chained to take full control of a device and access its stream.
As part of this research about the internet of things, the information security company VDOO has discovered a total of seven vulnerabilities in cameras manufactured by Axis. The manufacturer has identified nearly 400 affected models and has released security patches for each of them.
According to specialists in information security training, an attacker who knows the IP address of the target camera can remotely and without authentication take full control of the device. This includes accessing your video streaming, freezing video streaming, controlling the direction and functions of the camera (motion detection, for example), altering your software, leveraging it for lateral movement within the network, using it to DDoS attacks and cryptojacking, turning the camera into a useless device, becoming necessary work in information security training.
There are three vulnerabilities that can be chained to remotely hack a device. These allow an attacker to bypass authentication (CVE-2018-10661), send specially designed requests (CVE-2018-10662) and inject arbitrary commands (CVE-2018-10660).
Experts from the International Institute of Cyber Security claim that the discovered flaws can be exploited by hackers to block multiple processes or obtain information from the device’s memory.
Axis has released a statement containing the names of all compromised cameras.
This isn’t the first time vulnerabilities were discovered in Axis cameras. A year ago, researchers and information security training specialists found a security flaw called Devil’s Ivy, which allowed an attacker to execute a DoS attack or execute arbitrary code on Axis cameras. Since that failure affected a third party component, other devices were also compromised.
As part of this series of researches and work papers related to the internet of things, serious vulnerabilities have also been discovered in Foscam cameras, which also launched patches, unlike last year when researchers were forced to reveal multiple failures after the manufacturer didn’t take action.