Axis Hides Exploit Danger

Author: John Honovich, Published on Aug 09, 2016

Axis is hiding the severity and danger of the 'remote string format' vulnerability.

We ask Axis to fully communicate the risks of the released 'Hack Axis' program to Axis users and urge everyone with Axis devices to upgrade them immediately. 

Exploit Danger

The danger is that a working 'Hack Axis' program was released 3 weeks ago. This programs allows:

  • Root access to Axis devices, without having to know or figure out the password (regardless of how hard the password is).
  • Changing the Axis web password, with a simple additional command, to get full control of video and configuration
  • Turning Axis devices into botnets to attack computers throughout the world.
  • Hijacking Axis devices that continues even after they are upgraded to 'fix' the exploit and even after a factory reset, allowing continued malicious access and control. This was tested with a researcher who did this to an IPVM Axis device, which we verified. 

Axis stresses the main 'limitation' is that one needs network access to the camera, which is true, but undermines that mistakes can occur that allow devices to be remotely accessible and that many contractors, including competitors, often have access to internal systems. And, of course, the tens of thousands of Axis devices made publicly available are extremely at risk.

Axis Communications Failure

Axis has never communicated that a working 'Hack Axis' program has been released and shared across Internet hacking sites. It is now 3 weeks since this was done and Axis has done nothing to communicate that or correct their existing erroneous communications.

(1) The Axis FAQ on this issue declares:

[Update Aug 12th: Axis has edited the FAQ to remove this claim.]

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

But the vulnerability has been disclosed and is widely known and available on many cybersecurity / hacking sites, including the Exploit Database.

(2) The Axis corporate press release states:

 

Unfortunately for Axis users, Axis has not updated that release nor issued any subsequent release making it clear that not only it is disclosed but the working program allowing for exploitation is released.

(3) Axis has a CVE report which at least mentions the appropriate term exploit:

Three weeks after it was disclosed, Axis still has not updated this.

[Update Aug 12th: 24 days after the disclosure Axis has issued a new CVE report where they acknowledge the full exploit and the available Python script.]

In sum, Axis, after initial limited announcement and no communication about a full working program being released, is now completely ignoring the issue. We emailed Axis management multiple times about these concerns in addition to previous posts that raised them, without any action from Axis.

Axis Take Responsibility

Axis, please immediately fix all of your documentation and then issue a new release and email blasts explaining that a working Hack Axis program does exist and is widely available for hackers and your competitors to take advantage.

Exploits happen to everyone. We agree with Axis engineering team that this was a very hard / obscure exploit to find. That it happened should not be a black eye for Axis.

Axis is great at communication... when they want to. But how Axis has (not) communicated this is inappropriate, leaving Axis partners and customers at significant risk. Axis certainly wants to be a leader in cybersecurity. This exploit should not undermine that. But failing to properly inform your users of the full risk absolutely should.

2 reports cite this report:

History of Video Surveillance on Sep 22, 2016
This is a concise history of video surveillance covering the past decade.  The goal is to help professionals newer to the industry understand...
Dahua Distributor Angered "Always Give Good News About Hikvision" on Aug 11, 2016
A Dahua distributor is angry that "IPVM always give good news about HIKvision while destroys Dahua." I can understand the frustration, not of...
Comments (7): PRO Members only. Login. or Join.

Most Recent Industry Reports

Uniview (UNV) IP Cameras Tested on Feb 22, 2017
"We're #3," in China says Uniview (UNV). While the company significantly trails Hikvision and Dahua in total sales, one notable difference is that...
Glass Doors and Access Control Tutorial on Feb 22, 2017
The biggest challenge for many access control systems are glass doors. Here's what happens when a maglock is improperly installed to an existing...
Exacq Favorability Results on Feb 22, 2017
For years, Exacq has been one of the most frequently favored VMSes in IPVM integrator statistics (e.g., see Favorite VMS Manufacturers...
The Hot RMR Company - Electric Guard Dog on Feb 22, 2017
The financiers at the Barnes Buchanan conference praised a company named 'Electric Guard Dog'. While the name sounds fairly low tech, the money and...
Hikvision Leads Multi-Manufacturer Sales Promo on Feb 21, 2017
Earlier this month, Hikvision launched new 'super value' kits, with 40% discounts, and now Hikvision is offering another promo, but this time they...
Washington DC MPD's Surveillance Equipment on Feb 21, 2017
The Washington DC Metropolitan Police Department's surveillance system was hacked in January 2017. Two immediate questions were: Whose...
Hikvision Ezviz Mini 360 Plus - $80 Autotracking Camera Tested on Feb 21, 2017
Autotracking, integrated IR, local storage, full HD, cloud access: $80. That is the claim of Hikvision EZVIZ's new Mini 360 Plus. But for this...
Lenel Improving Customer Support on Feb 21, 2017
Lenel has faced significant criticism recently (see Lenel Partners Angry, Lenel Does Not Care, Worst Access Control 2016, Lenel Favorability...
'Dirty': Hikvision Attacks Genetec on Feb 20, 2017
Hikvision is angry at the growing public awareness that Hikvision is owned by the Chinese government. They took aim at Genetec,...
Directory of Alarm Company Brokers on Feb 20, 2017
Selling an RMR based business, such as alarm company, can be highly profitable, with acquisition prices of 36 to 48x RMR (equivalent to 3 to 4x...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact