On March 13, 2023, Claroty security researcher Vera Mens revealed that more than a dozen security flaws had been discovered in Akuvox E11, a smart intercom product made by Chinese company Akuvox. These vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. Akuvox E11 is described as a “SIP [Session Initiation Protocol] video doorphone specially designed for villas, houses, and apartments.” The most severe of the issues are CVE-2023-0344 (CVSS score: 9.1), CVE-2023-0345 (CVSS score: 9.8), CVE-2023-0352 (CVSS score: 9.1), and CVE-2023-0354 (CVSS score: 9.1).
A majority of these 13 security issues remain unpatched to date, with the industrial and IoT security company noting that Akuvox has since addressed the FTP server permissions issue by disabling the “the ability to list its content so malicious actors could not enumerate files anymore.” In response to the findings, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems (ICS) advisory of its own last week warning of the potential for loss of sensitive information, unauthorized access, and full administrative control to an attacker.
To protect against these vulnerabilities, organizations using the doorphone are advised to disconnect it from the internet until the vulnerabilities are fixed, change the default password used to secure the web interface, and segment and isolate the Akuvox device from the rest of the enterprise network to prevent lateral movement attacks.
In conclusion, the discovery of these security flaws in Akuvox E11 highlights the importance of staying up-to-date with the latest security updates and practicing good cybersecurity hygiene. Organizations that are using the device should take immediate steps to protect themselves from potential attacks by disconnecting it from the internet, changing the default password, and segmenting the device from the rest of the enterprise network.
Key Points:
• More than a dozen security flaws were discovered in Akuvox E11, a smart intercom product made by Chinese company Akuvox
• The vulnerabilities could allow attackers to execute code remotely and gain access to the device’s camera and microphone
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems (ICS) advisory in response
• Organizations using the device should disconnect it from the internet until the vulnerabilities are fixed, change the default password, and segment and isolate the device from the rest of the enterprise network