Written by Team82.
What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project, which uncovered 13 vulnerabilities that could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. The 13 vulnerabilities can be exploited via three main attack vectors:
- Remote code execution within the local area networks
- Remotely activate the device’s camera and microphone and transmit data back to the attacker
- Access and external and insecure FTP server and download stored images and data
The device, the Akuvox E11, remains unpatched after many unsuccessful attempts to contact and coordinate the disclosure with the Chinese vendor, a global leader in SIP-based smart intercoms. Our efforts to reach Akuvox began in January 2022, and along the way several support tickets were opened by Team82 and immediately closed by the vendor before our account was ultimately blocked on Jan. 27, 2022.
We involved the CERT Coordination Centre (CERT/CC), which also made multiple attempts to contact the vendor to no avail. After months of failed attempts, we disclosed our findings to ICS-CERT in December; ICS-CERT also had no success in working with Akuvox, and today published an advisory describing 13 vulnerabilities found by Team82. The implications of those flaws range from missing authentication, hard-coded encryption keys, missing or improper authorisation, and the exposure of sensitive information to unauthorised users.
Today, Team82 also published a technical blog describing some of the details of these zero-day vulnerabilities. We believe it’s in the best interest of the user community to share this information in the hope that users can take proactive measures to defend their organisations, whether it’s by taking remediation steps recommended below, discarding the device altogether, or pressuring the vendor to indeed address these vulnerabilities.
Our Research Journey
Like most successful startups, Claroty quickly outgrew its office space. One surprise that greeted us when we moved into our shiny new location last year was the Akuvox E11. While most wouldn’t find this too exciting, the sight of a smart intercom and camera attached to an ethernet cable starts a security and vulnerability researcher’s heart pumping faster.
Our first notion in poking around this new connected device was to figure out if this could make our team’s life simpler. For example, having an office nearby the closest entrance to the office meant that we’d spend a lot of time up and down from our desk letting people in if the receptionist wasn’t around. It’s not fun.
We decided to hunt for an API that we could use to open the door; given this is a smart intercom and door system, there must be one. Fortunately, we didn’t have to dig too deeply; it was right in the documentation.
Before long, we decided the device was interesting enough to continue researching it. We acquired a device, explored the firmware, emulated the local web server on a Raspberry Pi, and began our hunt for vulnerabilities on the local environment. Once the device itself arrived, we were able to quickly take what we’d learned in the emulated local environment and apply it to the physical device.
The flaws we found are severe, and pose potentially damaging privacy violations for affected organisations and users. There are three attack vectors we’d like to share:
- Remote Code Execution: Two of the vulnerabilities found by Team82—missing authentication for a critical function (CVE-2023-0354), and a command injection vulnerability (CVE-2023-0351)—can be chained to remotely execute code on the local network. If a vulnerable device is exposed to the internet, an attacker can use these flaws to take over the device, run arbitrary code, and possibly move laterally on the enterprise or small business network. According to the Akuvox website, these devices are the first line of defense at retirement homes, warehouses, apartment buildings, parking garages, medical centres, and even single-family homes.
- Open the Camera Remotely: Another vulnerability (CVE-2023-0348) can be leveraged to remotely activate the camera and microphone, without authentication, and transmit the data to the attacker. In privacy-sensitive organisations, such as healthcare centres, this can put organisations in violation of numerous regulations designed to ensure patient privacy.
- Collect Motion-Activated Images from All Intercoms: In this scenario, since the door phone camera is motion-activated, images are taken and uploaded to an external and insecure FTP file storage server. The images are available for periods of time on the server before they’re periodically deleted. In this time window, an attacker would be able to download images from Akuvox intercoms running anywhere.
Mitigation Recommendations
Despite Akuvox’s failure to acknowledge the numerous disclosure attempts made by Team82 and others, we still recommend a number of mitigation measures.
First would be to ensure an organisation’s Akuvox device is not exposed to the internet in order to shut off the current remote attack vector available to threat actors. Administrators would, however, likely lose their ability to remotely interact with the device over the SmartPlus mobile app.
Within the local area network, organisations are advised to segment and isolate the Akuvox device from the rest of the enterprise network. This prevents any lateral movement an attacker with access to the device might gain. Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints. Furthermore, only ports needed to configure the device should be opened; we also recommend disabling UDP port 8500 for incoming traffic, as the device’s discovery protocol is not needed.
Finally, we recommend changing the default password protecting the web interface. Right now the password is weak and included in the documentation to the device, which is publicly available.