Claroty’s Team82 finds 13 vulnerabilities in Akuvox E11 smart intercoms exposing privacy, safety risks

Claroty’s Team82 released Thursday details of the discovery of vulnerabilities found in Akuvox E11 smart intercoms, potentially leading to serious privacy and safety risks. The 13 vulnerabilities would allow a malicious hacker to remotely activate the camera and microphone, collect motion-activated images, and disable door locks wherever the intercom is in use. These vulnerabilities remain unpatched, as the vendor has ignored several contact attempts by Team82 and a U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisory. 

Claroty also added that it involved the CERT Coordination Center (CERT/CC), which also made multiple attempts to contact the vendor to no avail. “After months of failed attempts, we disclosed our findings to CISA in December; CISA also had no success in working with Akuvox, and today published an advisory describing 13 vulnerabilities found by Team82,” the post added.

The vulnerabilities include the generation of predictable IV with CBC, user of a hard-coded cryptographic key, missing authentication for critical function, storing passwords in a recoverable format, weak password recovery mechanism for forgotten password, command injection, reliance on filename or extension of externally supplied file, missing authorization, improper access control, exposure of sensitive information to an unauthorized actor, improper authentication, use of hard-coded credentials, and hidden functionality. 

The exploitation of these vulnerabilities could cause loss of sensitive information, unauthorized access, and grant full administrative control to an attacker. Vera Mens and Amir Preminger of Claroty Research reported these vulnerabilities to CISA.

In the CISA advisory, Akuvox recommends users disconnect Akuvox E11 devices from the internet until these vulnerabilities are fixed. “If this is not possible, users should ensure that the camera is not recording any sensitive information,” it added.

These vulnerabilities can be exploited via three main attack vectors – remote code execution within the local area network; remote activation of the device’s camera and microphone and transmission of data back to the attacker; and access to and external, insecure FTP server and the download of stored images and data.

The vulnerabilities remain unpatched after many unsuccessful attempts to contact and coordinate the disclosure with the Chinese vendor, a global leader in SIP-based smart intercoms, Team82 researchers wrote in their Thursday blog post. “Our efforts to reach Akuvox began in January 2022, and along the way, several support tickets were opened by Team82 and immediately closed by the vendor before our account was ultimately blocked on Jan. 27, 2022,” they added. 

The researchers said that the flaws found are severe, and pose potentially damaging privacy violations for affected organizations and users. Two of the vulnerabilities found by Team82 – missing authentication for a critical function (CVE-2023-0354), and a command injection vulnerability (CVE-2023-0351) – can be chained to remotely execute code on the local network. If a vulnerable device is exposed to the internet, an attacker can use these flaws to take over the device, run arbitrary code, and possibly move laterally on the enterprise or small business network. 

The Akuvox website describes these devices as the first line of defense at retirement homes, warehouses, apartment buildings, parking garages, medical centers, and even single-family homes. 

Another vulnerability (CVE-2023-0348) can be leveraged to remotely activate the camera and microphone, without authentication, and transmit the data to the attacker. In privacy-sensitive organizations, such as healthcare centers, this can put organizations in violation of numerous regulations designed to ensure patient privacy. 

Data released by Microsoft identified that the convergence between the IT world’s laptops, web applications, and hybrid workspaces, and the OT world’s factory and facility-bound control systems, brings severe risk consequences by allowing attackers to ‘jump’ air gaps between formerly physically isolated systems. Thereby, making IoT devices, like cameras and smart conference rooms, risk catalysts by creating novel entryways into workspaces and other IT systems. 

Coming to the collection of motion-activated images from all intercoms, the Claroty researchers said that in this scenario, since the door phone camera is motion-activated, images are taken and uploaded to an external and insecure FTP file storage server. “The images are available for periods of time on the server before they’re periodically deleted. In this time window, an attacker would be able to download images from Akuvox intercoms running anywhere,” they added.

Using the FTP vulnerability, Team 82 researchers said that “we can see pictures from arbitrary devices, but is it possible to trigger this functionality and turn on specific cameras? Remember, although we have an arbitrary code execution allowing us to take pictures from internet-exposed devices and devices on the local network, what about the devices behind NAT?”

The best place to look for the possibility of turning on a specific camera was the Session Initiation Protocol (SIP), the post said. “SIP is a communication protocol used for real-time communication sessions between two or more participants over IP networks. SIP controls multimedia communication sessions such as voice and video calls, instant messaging, and online games,” they added.

SIP is also an open standard protocol and is widely used for voice-over-IP (VoIP) applications. It operates on a request-response model and is based on a client-server architecture. SIP clients can initiate communication sessions by sending SIP requests to a SIP server, which will then forward the requests to the appropriate destination. Additionally, SIP establishes multimedia sessions involving multiple participants through the use of SIP proxies and SIP servers, which manage communication and routing of data between the participants.

“One person calls another and they can exchange over IP both voice and video. In the context of the Akuvox E11, an administrator can make a call to an intercom he owns with the mobile app,” the researchers detailed. “We tested this using the intercom at our lab and another one at the office entrance. Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab’s account to the intercom at the door.” 

They added that the issue stems from a missing authorization check. “The platform does not verify that the caller is the owner of the edge device and therefore, it’s possible to call using SIP to any intercom and as a consequence to get the video and audio feed (CVE-2023-0348).”

“This is where we stopped our research and decided to disclose the vulnerabilities. Unfortunately, the coordination between Team82 and Akuvox did not go as planned,” the researchers added.

Despite Akuvox’s failure to acknowledge the numerous disclosure attempts made by Team82 and others, Claroty has provided several mitigation measures. “First would be to ensure an organization’s Akuvox device is not exposed to the internet in order to shut off the current remote attack vector available to threat actors. Administrators would, however, likely lose their ability to remotely interact with the device over the SmartPlus mobile app,” the researchers added. 

Within the local area network, organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network, the blog identified. “This prevents any lateral movement an attacker with access to the device might gain. Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints. Furthermore, only ports needed to configure the device should be opened; we also recommend disabling UDP port 8500 for incoming traffic, as the device’s discovery protocol is not needed,” it added. 

Finally, “we recommend changing the default password protecting the web interface. Right now the password is weak and included in the documentation to the device, which is publicly available,” the researchers provided.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.