Security researchers have discovered several vulnerabilities in the security cameras used by Axis Communications.
Nearly 400 devices were affected by the vulnerabilities, which were first spotted by VDOO, a cybersecurity firm, as staff were engaged in in-depth research of different IoT devices being used by multiple companies.
The security team managed to find at least seven serious vulnerabilities that allowed an attacker to gain access to hundreds of cameras and monitor everything within the premises in which the cameras are installed.
A patch was soon released to fix the issue.
Remote Access Security Flaws
The security firm, VDOO, revealed further information about the issue and the level of damage such a vulnerability could cause to Axis users.
They confirmed that any attacker who manages to identify the IP address of a particular camera will be able to access it remotely.
They can take full control of the device without any authentication from the administrator team. The monitoring team may also not be aware that someone is actually using their own cameras unless they manually spot any irregular movements as everything is done remotely, in the software side.
Vulnerability May Grant Full Access to an Attacker
When an attacker gains access to the camera, they will acquire full control over the device—allowing them to control the direction of all the cameras and their functions, as well as the video stream they continuously record throughout the day and night.
The attackers will also have the ability to freeze a frame, alter the software used in it or add the device to a botnet.
Some of the more critical usage scenarios include using the camera to mine cryptocurrencies, to launch it as a bot during a DDoS attack or to use it for lateral movement within the network.
The security experts who managed to find the issue further explained the type of vulnerabilities that could lead to such remote hacking scenario:
They allow an attacker to bypass administrator passwords and privileges to acquire authentication, manually send special requests by rooting the device and inject arbitrary shell commands.
Patch Released by Axis
VDOO staff further added that the attacker can crash the entire camera network, consisting of 400 cameras or even more.
The hacked peripherals can also acquire video feeds stored in the past that may give an attacker more information on the streamed footage and the location where they are being used.
The firm released all the technical details with regards to these vulnerabilities and also revealed proof-of-concept code to the general public.
While security experts may find this useful, the technical details may be too complicated for the average person.
Axis Communications was quick to respond to the issue as they published an advisory which lists all the cameras that were confirmed to have the vulnerability.
They also listed the updated firmware version numbers, which bundles the patches to fix the issues spotted by the security experts.
No Harm Caused by the Vulnerability
Security experts involved in the discovery confirmed that there are no known issues or hacking attempts done by exploiting these identified vulnerabilities. I
Axis has advised all their users to immediately update the patch to safeguard themselves against a possible attack.
Last year, another cybersecurity firm, Senrio, also identified a security flaw which would allow a hacker to use Axis cameras as part of a DDoS attack.
It was considered a more serious flaw as it involved third-party components. Upon receiving the information from the security researchers, the company responded by releasing a patch.
When IoT devices are prevalently used, such issues are common. They may sound threatening to most users, but if security firms continue to fix any bugs, they may not cause any security or privacy issues to product owners.