Axis Critical Security Vulnerability

Author: John Honovich, Published on Jul 06, 2016

Axis has disclosed a 'critical security vulnerability' in most Axis products shipped in the past ~6 years.

Risk of Vulnerability

This has been deemed 'critical' because if an attacker exploits this, they will 'get control of the product', meaning that they could then not only impact the camera's performance but use this to launch other attacks, etc.

Who Is At Risk

If a camera can be accessed, it likely is at risk for being taken over. In practical terms, the highest risk is those cameras exposed to the public Internet. It is important to note that this includes cameras that use UPnP or port forwarding as Axis themselves has acknowledged. Because of this, it is safer to upgrade all of your cameras in case there is any unknown openings. This is also a good reminder not to use UPnP or port forwarding.

Full Public Disclosure Made [Updated]

On July 18th, the researcher made a full public disclosure (report here) including a python script to prove / enable others to perform the attack. As such we strongly advise you to upgrade immediately.

Tested By IPVM

IPVM has tested the vulnerability using the researcher's disclosure. We found that it did allow getting root access to Axis cameras that allowed us to disable, deface and attack various devices.

Broad Vulnerability

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Products starting with firmware 5.20.x, which is from ~2010 time range (e.g., this 2010 5.20.x release note), are vulnerable. Technically, Axis says 6.30 firmware is not vulnerable but that is not shipping as of this publication.

Something they did or component they added in the 5.20.x firmware ~6 years ago is the source of the vulnerability. In that time frame, there has easily been millions of Axis cameras shipped, now at risk.

Delayed Announcement

It took Axis about a week from the time they first informed partners (by email) to when they informed the general public with a press release.

Cybersecurity Industry Concerns

Axis has been hammering home cybersecurity as a differentiator, part of Axis' superior quality claims (disputed here). Indeed, Hikvision has suffered the most here. Now, Axis has its own issue to face. They will likely emphasize how technical / advanced this vulnerability is but, regardless, it is hard to really promote their own cybersecurity superiority, as they have been doing, in the immediate wake of this.

NOTE: This report was originally published on June 30th, when we first discovered it and substantially re-written on July 6th, when Axis issued a full press release and more details and updated again on July 18th after disclosure was made.

5 reports cite this report:

1 New Acquisition Per Year Planned for Qognify (Former Nice Security) on Aug 23, 2016
Want to be acquired? Qognify, the former Nice Security Group, has big money behind it and the plans for multiple acquisitions. In this note, we...
Axis OrwellLabs Exploit Tested on Jul 29, 2016
Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical...
Axis Camera Hack Tested on Jul 21, 2016
Full disclosure by the researcher of the Axis critical security vulnerability has been made. But what does this mean? Does it even work? What can...
Axis, Pay Integrators To Fix Your Critical Defect on Jul 14, 2016
Axis should pay integrators to fix Axis' recent disclosed critical security vulnerability / defect.  There are millions of Axis cameras deployed...
Interview With Researcher Who Cracked Security Of 70+ DVR Brands on Jul 07, 2016
The researcher who found an exploit in 70+ brands of DVRs, which he suspected to be the entry point hackers used to gain access to several...
Comments (29): PRO Members only. Login. or Join.

Most Recent Industry Reports

Hikvision vs Dahua Mobile Apps Tested on Dec 07, 2016
With smartphone use and low-cost video recorders surging, many user's main interface to their surveillance system is their phone. With mobile video...
Paxton Drops US Reps, Plans Major Expansion on Dec 07, 2016
Paxton is gearing up to make a big run at  US access control success. The first step they have made is to cut all US Rep Firms, in anticipation of...
Axis Partner Elder Care Video Analytics (Smartervision) on Dec 07, 2016
Can video analytics be used to improve the care of the elderly? Axis and a video analytics startup, Smartervision, are working together to do so....
Power Drill Selection Guide on Dec 06, 2016
Boring holes is a basic part of running cables for most security system projects. To do so, you will need to choose the right drills for various...
Milestone Favorability Results on Dec 06, 2016
In our second installment of manufacturer favorability results (first was Pelco), we turn to Milestone. 100+ integrators rated and explained what...
XiongMai Master Password List Emailed By Chinese Spammer on Dec 05, 2016
XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites. After pledging to recall cameras...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Door Operators Access Control Tutorial on Dec 05, 2016
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Pelco Favorability Results on Dec 02, 2016
This is the first in a series of studies of manufacturer favorability. 100+ integrators rated and explained their views of each manufacturer. We...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact