Axis Critical Security Vulnerability

Author: John Honovich, Published on Jul 06, 2016

Axis has disclosed a 'critical security vulnerability' in most Axis products shipped in the past ~6 years.

Risk of Vulnerability

This has been deemed 'critical' because if an attacker exploits this, they will 'get control of the product', meaning that they could then not only impact the camera's performance but use this to launch other attacks, etc.

Who Is At Risk

If a camera can be accessed, it likely is at risk for being taken over. In practical terms, the highest risk is those cameras exposed to the public Internet. It is important to note that this includes cameras that use UPnP or port forwarding as Axis themselves has acknowledged. Because of this, it is safer to upgrade all of your cameras in case there is any unknown openings. This is also a good reminder not to use UPnP or port forwarding.

Full Public Disclosure Made [Updated]

On July 18th, the researcher made a full public disclosure (report here) including a python script to prove / enable others to perform the attack. As such we strongly advise you to upgrade immediately.

Tested By IPVM

IPVM has tested the vulnerability using the researcher's disclosure. We found that it did allow getting root access to Axis cameras that allowed us to disable, deface and attack various devices.

Broad Vulnerability

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Products starting with firmware 5.20.x, which is from ~2010 time range (e.g., this 2010 5.20.x release note), are vulnerable. Technically, Axis says 6.30 firmware is not vulnerable but that is not shipping as of this publication.

Something they did or component they added in the 5.20.x firmware ~6 years ago is the source of the vulnerability. In that time frame, there has easily been millions of Axis cameras shipped, now at risk.

Delayed Announcement 

It took Axis about a week from the time they first informed partners (by email) to when they informed the general public with a press release.

Cybersecurity Industry Concerns

Axis has been hammering home cybersecurity as a differentiator, part of Axis' superior quality claims (disputed here). Indeed, Hikvision has suffered the most here. Now, Axis has its own issue to face. They will likely emphasize how technical / advanced this vulnerability is but, regardless, it is hard to really promote their own cybersecurity superiority, as they have been doing, in the immediate wake of this.

NOTE: This report was originally published on June 30th, when we first discovered it and substantially re-written on July 6th, when Axis issued a full press release and more details and updated again on July 18th after disclosure was made.

17 reports cite this report:

IPVM Vulnerability Scanner Released on Jun 18, 2018
IPVM is proud to announce video surveillance's first and only cybersecurity vulnerability scanner. This tool allows quickly and simply...
Cybersecurity for IP Video Surveillance Guide on May 18, 2018
Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2018, with more and more users relying on mobile apps as their main way of operating the system....
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has...
Axis Criticizes OEMs: "When You Buy An Axis Camera, An Axis Camera Is What You Get!" on May 19, 2017
When you buy a Honeywell camera, you likely get a Hikvision, Dahua or some other company's product. The same goes for easily 100 different...
Dahua Backdoor Uncovered on Mar 06, 2017
A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by...
1 New Acquisition Per Year Planned for Qognify (Former Nice Security) on Aug 23, 2016
Want to be acquired? Qognify, the former Nice Security Group, has big money behind it and the plans for multiple acquisitions. In this note, we...
Axis OrwellLabs Exploit Tested on Jul 29, 2016
Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical...
Axis FMS Vulnerability 2016 Tested on Jul 21, 2016
Full disclosure by the researcher of the Axis critical security vulnerability has been made. But what does this mean? Does it even work? What can...
Axis, Pay Integrators To Fix Your Critical Defect on Jul 14, 2016
Axis should pay integrators to fix Axis' recent disclosed critical security vulnerability / defect.  There are millions of Axis cameras deployed...
IPVM Site Goes All HTTPS, Largest 3 Manufacturers Do Not [Axis, Dahua Fixed] on Jul 12, 2016
IPVM.com now serves all pages over HTTPS to improve security and privacy. However, a number of video surveillance manufacturers do not, including...
Axis Boasts Kicking Arecont Out of Google on Jul 11, 2016
Axis has displaced Arecont as the standard IP camera for Google, boasts Axis. Inside, we examine Axis statement, Arecont's response and what this...
Interview With Researcher Who Cracked Security Of 70+ DVR Brands on Jul 07, 2016
The researcher who found an exploit in 70+ brands of TVT OEM DVRs, which he suspected to be the entry point hackers used to gain access to several...
Comments (28) : PRO Members only. Login. or Join.

Most Recent Industry Reports

Integrator Credit Card Alternative Divvy on Nov 13, 2018
Most security integrators are small businesses but large enough that they have various employees that need to be able to expense various charges as...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...
Magos Radar Company Profile on Nov 12, 2018
Magos America General Manager Yaron Zussman admits when he first came across Magos, he asked himself: "What's innovative about radar?" Be that as...
Genetec Privacy Protector Tested on Nov 12, 2018
Genetec has built Kiwi Security's Privacy Protector into Security Center, an analytic which anonymizes individuals in cameras' fields of view...
Chinese Government Increases Hikvision Ownership on Nov 12, 2018
The Chinese government - Hikvision's controlling shareholder - is increasing its ownership of the video surveillance giant amid sharp stock price...
Axis: "No One Wants To Buy A Camera" on Nov 09, 2018
Axis has, in its own description, made a bold declaration: The industry is changing so rapidly that the following statement might seem bold but...
Video Surveillance Hard Drive Size Statistics 2018 on Nov 08, 2018
What is the most common hard drive size for video surveillance? 150+ integrators answered: What size hard drive do you most commonly use? What...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact