A Chinese company, Akuvox, has developed an intelligent intercom product that has been found to have over a dozen vulnerabilities. These vulnerabilities have the potential for serious exploitation, specifically for spying purposes.
Researchers at industrial and IoT cybersecurity firm Claroty discovered the vulnerabilities in Akuvox’s E11 product. The product is marketed as a video doorphone designed for homes, villas, offices, and warehouses, and includes live video streaming, motion detection, and access control capabilities. It has been used worldwide.
The researchers found 13 vulnerabilities related to weak encryption, the use of hardcoded cryptographic keys, sensitive information exposure, insecure password recovery mechanisms, command injection flaws, improper access control and authentication, missing authorization, and hidden functionality that can be abused for malicious purposes. Most of these vulnerabilities have been assigned ‘critical’ and ‘high’ severity ratings.
An attacker could exploit the flaws for remote code execution, remotely activating a device’s microphone and camera and transmitting data to a remote server, and obtaining stored images and data captured by the device. This could allow an attacker to take complete control of the targeted Akuvox device and spy on users, open doors, and gain a foothold into the targeted organization’s network.
While there do not appear to be any patches available, the risk can be mitigated by ensuring the device is not exposed to the internet, isolating it from the rest of the enterprise network to prevent lateral movement, and changing the default password for the web interface.
Key Points:
- A Chinese company’s smart intercom product is affected by more than a dozen vulnerabilities, including potentially serious flaws that can be exploited for spying.
- The product, called Akuvox’s E11, has been used worldwide and includes live video streaming, motion detection, and access control capabilities.
- The researchers found 13 vulnerabilities related to weak encryption, the use of hardcoded cryptographic keys, sensitive information exposure, insecure password recovery mechanisms, command injection flaws, improper access control and authentication, missing authorization, and hidden functionality.
- An attacker could exploit the flaws for remote code execution, remotely activating a device’s microphone and camera and transmitting data to a remote server, and obtaining stored images and data captured by the device.
- The risk can be mitigated by ensuring the device is not exposed to the internet, isolating it from the rest of the enterprise network to prevent lateral movement, and changing the default password for the web interface.