Axis Critical Security Vulnerability

By John Honovich, Published on Jul 06, 2016

Axis has disclosed a 'critical security vulnerability' in most Axis products shipped in the past ~6 years.

Risk of Vulnerability

This has been deemed 'critical' because if an attacker exploits this, they will 'get control of the product', meaning that they could then not only impact the camera's performance but use this to launch other attacks, etc.

Who Is At Risk

If a camera can be accessed, it likely is at risk for being taken over. In practical terms, the highest risk is those cameras exposed to the public Internet. It is important to note that this includes cameras that use UPnP or port forwarding as Axis themselves has acknowledged. Because of this, it is safer to upgrade all of your cameras in case there is any unknown openings. This is also a good reminder not to use UPnP or port forwarding.

Full Public Disclosure Made [Updated]

On July 18th, the researcher made a full public disclosure (report here) including a python script to prove / enable others to perform the attack. As such we strongly advise you to upgrade immediately.

Tested By IPVM

IPVM has tested the vulnerability using the researcher's disclosure. We found that it did allow getting root access to Axis cameras that allowed us to disable, deface and attack various devices.

Broad Vulnerability

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Products starting with firmware 5.20.x, which is from ~2010 time range (e.g., this 2010 5.20.x release note), are vulnerable. Technically, Axis says 6.30 firmware is not vulnerable but that is not shipping as of this publication.

Something they did or component they added in the 5.20.x firmware ~6 years ago is the source of the vulnerability. In that time frame, there has easily been millions of Axis cameras shipped, now at risk.

Delayed Announcement 

It took Axis about a week from the time they first informed partners (by email) to when they informed the general public with a press release.

Cybersecurity Industry Concerns

Axis has been hammering home cybersecurity as a differentiator, part of Axis' superior quality claims (disputed here). Indeed, Hikvision has suffered the most here. Now, Axis has its own issue to face. They will likely emphasize how technical / advanced this vulnerability is but, regardless, it is hard to really promote their own cybersecurity superiority, as they have been doing, in the immediate wake of this.

NOTE: This report was originally published on June 30th, when we first discovered it and substantially re-written on July 6th, when Axis issued a full press release and more details and updated again on July 18th after disclosure was made.

16 reports cite this report:

IPVM Vulnerability Scanner Released / Deprecated on Jun 18, 2018
IPVM is proud to announce video surveillance's first and only cybersecurity...
Cybersecurity for IP Video Surveillance Guide on May 18, 2018
Keeping surveillance networks secure can be a daunting task, but there are...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities...
Axis Criticizes OEMs: "When You Buy An Axis Camera, An Axis Camera Is What You Get!" on May 19, 2017
When you buy a Honeywell camera, you likely get a Hikvision, Dahua or some...
Dahua Backdoor Uncovered on Mar 06, 2017
A major cyber security vulnerability across many Dahua products has been...
1 New Acquisition Per Year Planned for Qognify (Former Nice Security) on Aug 23, 2016
Want to be acquired? Qognify, the former Nice Security Group, has big money...
Axis OrwellLabs Exploit Tested on Jul 29, 2016
Another exploit has been reported for Axis cameras (OrwellLabs AXIS...
Axis FMS Vulnerability 2016 Tested on Jul 21, 2016
Full disclosure by the researcher of the Axis critical security vulnerability...
Axis, Pay Integrators To Fix Your Critical Defect on Jul 14, 2016
Axis should pay integrators to fix Axis' recent disclosed critical security...
IPVM Site Goes All HTTPS, Largest 3 Manufacturers Do Not [Axis, Dahua Fixed] on Jul 12, 2016
IPVM.com now serves all pages over HTTPS to improve security and privacy....
Axis Boasts Kicking Arecont Out of Google on Jul 11, 2016
Axis has displaced Arecont as the standard IP camera for Google, boasts...
Interview With Researcher Who Cracked Security Of 70+ DVR Brands on Jul 07, 2016
[link no longer available]The researcher who found an exploit in 70+ brands...
Comments (28) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Verkada Speaks On Disrupting Security Sales Channel on Aug 28, 2020
Verkada's fast growth has taken the industry by storm and their enterprise...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Video Surveillance History on May 06, 2020
The video surveillance market has changed significantly since 2000, going...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
YOLOv5 Released Amidst Controversy on Jul 27, 2020
YOLO has gained significant attention within video surveillance for its...
China's SMIC Hit By US Trade Restrictions, Impact On Video Surveillance on Oct 13, 2020
US trade restrictions have hit Semiconductor Manufacturing International...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...