Axis FMS Vulnerability 2016 Tested

By Ethan Ace, Published Jul 21, 2016, 08:15am EDT (Research)

Full disclosure by the researcher of the Axis critical security vulnerability has been made.

But what does this mean? Does it even work? What can you do?

In this report, we share our test findings of how we were able to hack Axis cameras using this disclosure, showing this in a video screencast, plus what is most at risk and what the limitations are.

Key Findings

Our key findings include:

  • Real: This is not a theoretical vulnerability. It very much did let us get root access of various Axis cameras.
  • Functional: The python script included in the disclosure works and is complete. This was not a vague or qualitative description but a working application.
  • Limits: The included script only works with a single camera at a time and requires entering the right platform for each Axis camera attacked. Of course, a real adversary could build upon this to automate attacking multiple cameras and trying multiple platforms iteratively.
  • Practical Risks: Root access to Axis cameras, by default, allowed us to use some Linux commands (like killing the video stream, rebooting the camera, using curl to make network requests / download files, etc.). We were not able to get access to the live video feed and some Linux function / services are not included, by default, as Axis uses BusyBox, a strip down Unix tools suite. Update: we were able to change the web root password and get access to live video feed and full web configuration.
  • Worse Things Possible: We have limited Linux administration and hacking skills, and while we were able to do a number of things fairly easily, we suspect better and more motivated techs could cause a lot more problems.

Upgrade your Axis camera firmware, everywhere and immediately. Even if you are sure no outsiders can access the cameras, there is a still a risk than an insider or saboteur could take advantage of this.

Demonstration of the Hack

In this video, we demonstrate a hack of an US day care broadcasting an Axis camera and how we hacked our own camera to kill the video stream and bombard Axis.com with web requests.

Additionally, a member (the infamous Undisclosed 1) was able to deface the Axis camera's web interface with a rival manufacturer's, shown below:

Axis Response Mixed Accuracy

Our testing shows that Axis was right that "the exploit is very sophisticated." The researcher who did this is clearly very skilled as shown by reading through the report / Python script.

The problem is that the 'hardest' part is now done. Very few people could likely figure this out on their own but with the provided script, it is far easier to build upon that and weaponize it.

Moreover, though 3 days since disclosure (now 7), Axis has not updated any of its public document (e.g., 1, 2, 3) or issued any documentation to make it clear that the disclosure has been made and that it includes a script that makes it much easier for the broader public / adversaries to take advantage of it.

Upgrade Your Cameras

Everyone should upgrade their Axis cameras immediately. This is even more urgent now that the researcher has released a working script and is available through many directories of vulnerabilities.

7 reports cite this report:

Bashis Joins IPVM To Lead Cybersecurity Research on Sep 20, 2022
Bashis has joined IPVM to lead our cybersecurity research, expanding the...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in...
Manufacturers Cheer ISC West 2017 Performance on Apr 11, 2017
ISC West 2017 showed strong satisfaction results from manufacturers, similar...
Axis Hides Exploit Danger on Aug 09, 2016
Axis is hiding the severity and danger of the 'remote string format'...
Axis Exploit Allows Changing Camera Root Password Confirmed on Aug 02, 2016
IPVM has confirmed that using the Axis remote format string vulnerability, an...
Axis OrwellLabs Exploit Tested on Jul 29, 2016
Another exploit has been reported for Axis cameras (OrwellLabs AXIS...
Axis Critical Security Vulnerability on Jul 06, 2016
Axis has disclosed a 'critical security vulnerability' in most Axis products...
Comments (22) : Subscribers only. Login. or Join.
Loading Related Reports