back to article Not so private eye: Got an Axis network cam? You'll need to patch it, unless you like hackers

Researchers have detailed a string of vulnerabilities that, when exploited in combination, would allow for hundreds of models of internet-linked surveillance cameras to be remotely hijacked. Security biz VDOO said today it privately alerted cam-maker Axis Communications to the seven bugs it found in its gizmos, leading to the …

  1. Sureo

    So this is how on those cop shows they can hack in to any camera anywhere.

    1. Anonymous Coward
      Anonymous Coward

      No need to exploit flawed code...

      *Points to the sticker that reads "Designed for Windows 10!"*

      I'll get my coat, it's the one with pockets buldging with NSA brown envelopes.

  2. Anonymous Coward
    Anonymous Coward

    Attack Vector

    "To perform the attack, a hacker would first run an exploit for CVE-2018-10661, an authorization bypass that allows the attacker to access /bin/ssid, which runs as root, via unauthenticated HTTP requests."

    Being a CCTV installer (Thankfully not one that uses Axis, although I believe their kit is far from the low-level stuff lika Dahua and whatnot) - I can't envisage one of our cameras' interfaces ever being exposed to the internet for someone to perform this attack. I'm *NOT* saying this means it's acceptable to have such a vulnerability, but the chances of a camera sitting on an open port-80 even without any known exploits is asking for serious trouble!

    1. GarethWright.com

      Re: Attack Vector

      I won't say where (though it's trivial to establish with a little Google foo), but a large number of Axis cams were installed in a new build and linked to the B.M.S.

      The cameras were all added to CCTV module which was compiled with hard coded credentials...which of course were default. To make matters worse the the BMS company (Massive "professional" outfit) installed the cameras and BMS on the same VLAN as the standard traffic. Anyone on the WiFi or plugging into an ethernet port (oh btw they fitted active ones in the loos) can simply load up the Axis camera management tools and discover and access every camera on the network without needing any CVEs at all.

      So yeah....plenty of places with Attack Vectors, some places are worse and have them on the internet

      https://www.shodan.io/search?query=AXIS

    2. Kevin McMurtrie Silver badge

      Re: Attack Vector

      The Axis cameras receive regular updates and they can be exposed on the Internet. Their selling point is that they are completely self-contained security systems and they use standard protocols for optional integration.

      1. Adam JC

        Re: Attack Vector

        Genuine question, what possible need would you have to expose an IP camera to the internet other than in standalone configuration? I also install CCTV and the IP cameras themselves are usually on an entirely different VLAN & Subnet, with zero outbound access to anything via ACL other than a few manufacturer IP's for firmware updates. (And certainly not accessible in-bound via the internet!) The NVR would be the only device exposed directly to the internet.

  3. Robert Helpmann??
    Childcatcher

    Security...

    ... I don't think that word means what you think it means.

    Another story about an IoT security device that isn't secure. Good to get the word out. What about those IoT devices that have been verified to be secure? At this point, they would be newsworthy if only for the novelty. What does Google have to say on the matter? A search of "verified secure iot devices" yields 4 ads followed by a page full of academic proposals for methods to secure the world of IoT and various companies trying to sell the same. From what I can see, these devices should be considered inherently insecure and managed as such.

    IoT: Insecure at any time

  4. GnuTzu

    Creepy Voyeurs are Getting In

    From NPR: S.C. Mom Says Baby Monitor Was Hacked; Experts Say Many Devices Are Vulnerable

    https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable

    I should say: "be careful what you do around these things", but the consumers that are being preyed upon aren't listening.

  5. MasterofDisaster

    Automated patch management

    Have to give some credit to Axis that was not pointed out in the article - they are one of the leaders (along with Viakoo) for developing automated ways of updating firmware on cameras. The reality of surveillance cameras is they have been "set it and forget it" for a long time, and the idea of updating firmware is genuinely new to the industry. Without an automated firmware update mechanism camera vendors may as well not bother; it's unrealistic to have the facilities guy on a ladder with a USB updating the hundreds/thousands of cameras across a large enterprise.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like