Researchers from Claroty's Team82 discovered 13 zero-day vulnerabilities in Akuvox E11, a smart intercom and camera device. These vulnerabilities can be exploited through three attack vectors: remote code execution within the local area network, remotely activating the device's camera and microphone, and accessing external and insecure FTP servers. These flaws could allow attackers to control the device's camera and microphone, steal video and images, or gain a network foothold. Akuvox has not patched the device despite several unsuccessful attempts by the research team and the CERT Coordination Center to contact and coordinate disclosure with the vendor.
The vulnerabilities found by Team82 include missing authentication, hard-coded encryption keys, missing or improper authorization, and exposure of sensitive information to unauthorized users. Remote code execution can be achieved by exploiting two of the vulnerabilities: missing authentication for a critical function and a command injection vulnerability. Another vulnerability allows remote activation of the camera and microphone without authentication. Finally, motion-activated images taken by the device are uploaded to an external and insecure FTP file storage server, where they can be accessed by attackers.
Organizations can mitigate these vulnerabilities by ensuring that the device is not exposed to the internet and by segmenting and isolating the device from the rest of the enterprise network. It is also recommended that the default password protecting the web interface be changed and that only ports needed to configure the device be opened.
The discovery protocol for the device should be disabled by blocking UDP port 8500 for incoming traffic. Despite Akuvox's failure to acknowledge the disclosure attempts, Claroty's Team82 has shared information about the vulnerabilities in the hope that users can take proactive measures to defend their organizations. The disclosure was also shared with the Cybersecurity and Infrastructure Security Agency (CISA), which has published an advisory on the 13 vulnerabilities.