Axis Critical Security Vulnerability

JH
John Honovich
Published Jul 06, 2016 15:20 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Axis has disclosed a 'critical security vulnerability' in most Axis products shipped in the past ~6 years.

Risk of Vulnerability

This has been deemed 'critical' because if an attacker exploits this, they will 'get control of the product', meaning that they could then not only impact the camera's performance but use this to launch other attacks, etc.

Who Is At Risk

If a camera can be accessed, it likely is at risk for being taken over. In practical terms, the highest risk is those cameras exposed to the public Internet. It is important to note that this includes cameras that use UPnP or port forwarding as Axis themselves has acknowledged. Because of this, it is safer to upgrade all of your cameras in case there is any unknown openings. This is also a good reminder not to use UPnP or port forwarding.

Full Public Disclosure Made [Updated]

On July 18th, the researcher made a full public disclosure (report here) including a python script to prove / enable others to perform the attack. As such we strongly advise you to upgrade immediately.

Tested By IPVM

IPVM has tested the vulnerability using the researcher's disclosure. We found that it did allow getting root access to Axis cameras that allowed us to disable, deface and attack various devices.

Broad Vulnerability

Industry insights delivered to your inbox weekly.

Sign up to get notified of new reports, investigations, research and more.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Products starting with firmware 5.20.x, which is from ~2010 time range (e.g., this 2010 5.20.x release note), are vulnerable. Technically, Axis says 6.30 firmware is not vulnerable but that is not shipping as of this publication.

Something they did or component they added in the 5.20.x firmware ~6 years ago is the source of the vulnerability. In that time frame, there has easily been millions of Axis cameras shipped, now at risk.

Delayed Announcement 

It took Axis about a week from the time they first informed partners (by email) to when they informed the general public with a press release.

Cybersecurity Industry Concerns

Axis has been hammering home cybersecurity as a differentiator, part of Axis' superior quality claims (disputed here). Indeed, Hikvision has suffered the most here. Now, Axis has its own issue to face. They will likely emphasize how technical / advanced this vulnerability is but, regardless, it is hard to really promote their own cybersecurity superiority, as they have been doing, in the immediate wake of this.

NOTE: This report was originally published on June 30th, when we first discovered it and substantially re-written on July 6th, when Axis issued a full press release and more details and updated again on July 18th after disclosure was made.

Comments are shown for subscribers only. Login or Join