VDOO, a security company focusing on protected Internet of Things (IoT) devices, found multiple flaws in Axis surveillance companies that attackers could have used to create exploit chains against the devices.
VDOO Analyzes Surveillance Cameras For Bugs
Over the past few months, VDOO has analyzed the surveillance cameras from multiple vendors to see if it can find security flaws in them. The company said that the research was carried out together with the vendors for the same of efficiency and transparency.
To no one’s surprise, the VDOO researchers found multiple zero-day vulnerabilities in devices from several vendors. The security company agreed to a coordinated disclosure process with the vendors, so the flaws for each vendor will be released when each disclosure is scheduled.
390 Axis Camera Models Impacted
Axis Communications was one of the vendors whose devices were affected by a “critical chain of vulnerabilities.” An attacker could have used these flaws to take over Axis cameras remotely, while knowing only the IP addresses of the cameras.
According to VDOO, an attacker could use three of the vulnerabilities found in the Axis cameras to do the following:
- Access to camera’s video stream
- Freeze the camera’s video stream
- Control the camera – move the lens to a desired point, turn motion detection on/off
- Add the camera to a botnet
- Alter the camera’s software
- Use the camera as an infiltration point for network (performing lateral movement)
- Render the camera useless
- Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)
VDOO found that 390 camera models from Axis could have been exploited in this way. The company said that it hasn’t seen these vulnerabilities being exploited in the field. Axis seems to have issued updated firmware for all of those cameras, so owners of these cameras should update immediately.
VDOO also recommended that surveillance camera manufacturers minimize the privileges given to each part of the firmware so that the devices can’t be so easily exploited with a single bug; properly sanitize all input so that attackers can’t use special characters to take over the system, minimize use of shell scripts, and encrypt their devices’ firmware to discourage attackers from analyzing the firmware for bugs.