Axis Camera Vulnerabilities From Google Researcher Analyzed

By: Brian Karas, Published on Mar 23, 2017

A Google security researcher has reported 6 vulnerabilities for Axis cameras, affecting multiple models and firmware versions.

In this report, we examine these vulnerabilities, potential for exploit, and the practical risk of them.

* ****** ******** ********** has ******** * *************** for Axis *******, ********* ******** models *** ******** ********.

** **** ******, ** examine ***** ***************, ********* for *******, *** *** practical **** ** ****.

[***************]

Vulnerabilities ********

* **** ** *** Full ********** ******* ***** the ********* * ***************:

******: ** *****-**** ******* forgery ***********

******: ****** ****** ****** for *** 

******: *** ******** *** as **** 

******: ****** ****** ******** allows *** ********* ***** as **** ** ********** CSRF ****** 

******: **** ****** .*** scripts *** ******** ******* 

******: ********* ** ******* the **** *********

**** *** **** ****** their ********** ** ***** ***************** ************ ************.

Key ******** / *******

*** **** ** ** attacker ************ ***** ***** vulnerabilities ** ********* ***.

** ****** ***** ******* all **** ** *** ********* criteria ** ** ***:

  • ******** ** **** ** trick * **** **** clicking * ********* **** in ** ***** ** on * *******, ***** calls * ****** ** the ******
  • ******** ***** *** ******** IP ******* ** ******** of * ********** ******* to ******* ** ***** or *******
  • *** **** ****** ** that **** ***** ****** into ***** ******* ******** ** the **** *** ******* the **** ** ******* on
  • *** ******* *** ** firmware ***** ** *.*.* that ***** ******* ******** 3 ***** ***, ** March ****

********* *** **** ** *** above is **** *** ****** researcher ********* ** *** ability ** '********' *** device. *******, **** ** vastly **** *********** *** difficult ** ******* **** the ***** ********, ***** ****** *** can ******** ******* ** a ********** ****** *** backdoor **. 

************, *** ************ ******** would ********* ***** ** attacker ** ******* ****** to a **** ******* ****** of *******, ** ***, reducing *** ******* ** this ***** **** *** broad attacks.

*** ******* ** ******* are *** ********** ** this *******, ** ***** is ** **** ** clicking * ********* **** while ****** **** * VMS **** *** ***** access ** * ******. 

Affects ******** ***** ** *.**

**** **** ******** ******** prior ** *.** *** a ********* *** ************* that ***** **** **********. Users ******* ***** ******** should******** ******* ******** **** Axis' ******* ******* *** *** of **** *******. ***** many ****** **** ***** firmware *********, ***** *** still * **** ***** of ******* *** ***** updated ******** ** *** available. 

** ** ******** ****** is *********, ***** ***** be ******* ** ******** the *** ** ******** to ****** *** ******, use * ******* ***** than *** ******* ******* when ***** **, *** avoid ******* ****** ** clicking ***** ** *******/********* sites **** ****** **** any *******.

CSRF ******* - *** ** *************

***** *************** ******* ****** a**** ***************. ** *****, **** attacks **** ** * user ***** ****** **** a ******'* *** ********* *** then ******* *** **** to ***** * **** that ********** ** * specific ******* ** *** device. *** **** ** often ********* ** ********* else, **** ** * link ** ** ***** where *** **** **** "Click **** ** ***** your *******", *** *** URL *********** ** * command ** *** ****** (ex: ****://***.***.*.**/***-***/******.***).

*** ***** ***** ******** a **** **** ***** overview ** ****:

******* *** **** ******* has ****** ** *** device, *** ***** *******, VPN, ** **** ***** means, *** ******** **** not **** ******** ****** access ** *** ******, they **** **** ** trick *** **** **** clicking * **** **** a ********* ******* ***.

CSRF **********

**** ******* *** ********* ** requiring * ******* ***** as **** ** *** request. *** ***** ** a **** ****** ********* by *** ******, *** sent ** *** ****** to ******* **** *** request, ***** ***** **** the "****://***.***.*.**/***-***/******.***" ******* **** **** "****://***.***.*.**/***-***/******.***?*****=***********". ** * **** application, *** ***** ** much ******, ****** ** effectively ********** *** ** attacker ** ***** *** include **** ***** ********* link.

VAPIX ******** **** ***** ***

********* ** ****, ***** ***** API ** *** ********** with **** ******, ***** prevents **** **** ***** this ********* ** ******* CSRF *******.

Axis **** ****** - ********* ***

**** ******** * *****-** file ****** ** ***** cameras, ** **** ** easier *** ***** ** edit ****** ***** ** other **** ***** ** the ******. **** **** editor ** ****** ** the *********, ***** **** as **** ** ******** cameras, ****** ** *** potential ** ******** ** overwrite *** **** ** the ******.

**** **** **** ****** will ** ******* ** a ****** ******* ** further ****** ******* *********.

 

Comments (19)

Undisclosed Integrator #1

03/24/17 08:37pm

Interesting.  Does Google do these tests randomly or is this a researcher doing this as a side project?  Is this possibly related to the Arecont to Axis switch from last year?

Undisclosed End User #2

In reply to Undisclosed Integrator #1 | 03/27/17 01:01pm

I believe the research is done under the "Project Zero" program.

Avatar

Michael Gonzalez

03/24/17 09:07pm

Excellent information and article, thanks. So if I'm reading this correctly, is it safe to assume this type of exploit is rendered even more unlikely when the camera network is logically segregated from the internet/internet connected devices?

Avatar

Brian Karas

IPVM | In reply to Michael Gonzalez | 03/24/17 09:24pm

is it safe to assume this type of exploit is rendered even more unlikely when the camera network is logically segregated from the internet/internet connected devices?

Not really. If an operator can access the cameras via a browser, it would not matter if they are local, remote, segregated or not.

Part of what makes this kind of attack different is that the operator, who is in this case presumably able to access the internet or receive email AND access the camera network becomes a kind of "proxy" for the attacker. The attacker can not access the cameras directly, but they send a malicious to the operator who CAN access the cameras, and when that link is clicked, the cameras are compromised.

Again, it is worth mentioning this still requires the attacker to know the IP address of a vulnerable camera, and get the operator to click a malicious disguised link that goes to that camera, while the operator is already logged into its web interface.

Avatar

Jon Dillabaugh

Pro Focus LLC | 03/27/17 12:10am

Can't believe people still sell these vulnerable devices.

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/27/17 12:21am

Can't believe people still sell these vulnerable devices.

Jon, rather than a sarcastic comment, can you offer something of analytic substance to the discussion?

Avatar

Jon Dillabaugh

Pro Focus LLC | In reply to John Honovich | 03/27/17 12:42pm

I was just making a comment similar to what I see every time there is a Hik/Dahua vulnerability announced. Yes, it was sarcasm and wasn't helpful, unless pointing out the absurdity of the typical stance. 

No brand is 100% safe. Not Axis. Not Sony. Not Hikvision. For sure not Dahua. Some are far better than others. Some have larger targets due to the popularity of their products and the vast amount of deployed products. 

This just goes back to my stance that you can't trust ANY IoT device entirely and they MUST be segregated to the furthest extent possible. 

Anyone who relies on their particular brand to ensure absolutely zero vulnerabilities is foolish to do so. Every single integrator and end user must take preventative measures to ensure these vulnerabilities are mitigated as much as possible. 

Avatar

Brian Karas

IPVM | In reply to Jon Dillabaugh | 03/27/17 12:50pm

Jon -

You do recognize that there is a large degree of difference between this vulnerability in the Axis cameras, and the recent Dahua and Hikvision vulnerabilities, right?

 

Avatar

Jon Dillabaugh

Pro Focus LLC | In reply to Brian Karas | 03/27/17 01:01pm

That may be your perspective, but to me a vulnerability is a vulnerability to a great extent. Sure, some only allow you to view an unauthorized feed or something much less nefarious than root access to the OS. But to be completely frank, these devices shouldn't ever see daylight IMO. Even if you can assure me they are safe today, you can't assure the same tomorrow. 

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/27/17 01:24pm

but to me a vulnerability is a vulnerability to a great extent.

But vulnerabilities, like 'accidents' and 'crimes' can vary greatly in their significance. 

On a scale of 1 - 10, please rank the above Axis vulnerability to the Dahua vulnerability from this month.

I'll go first: Dahua is a 10 since it's so easy to do. Axis is a 1 since it requires a combination of nearly impossible steps to work.

Your turn, Jon. Please rate them on a scale of 1 to 10.

Undisclosed Manufacturer #4

In reply to Jon Dillabaugh | 03/27/17 03:34pm

A vulnerability is a vulnerability?  That's just silly.  If you actually believe this, then it would make life impossible.  We survive by taking calculated risks.

 

I assume that you will use some form of motor-powered transportation today.  You must have a death wish!  Haven't you seen the terrible accidents at the Isle of Man TT? 

You'd be much safer to walk everywhere.  But wait!

Forget it, just stay home!

Undisclosed Manufacturer #3

03/27/17 01:58pm

A vulnerability is a vulnerability.  Any and all devices on the network whether that network is "isolated" or not, can become a source of a network attack. 

We as the "good guys" must protect our network from any and all possible intrusions.  For the "bad guys"  they only need to find one weakness to exploit, so the advantage will always be with the bad guys.

Your presumption that certain vulnerabilities are worse than others (a scale of 1 to 10) presumes that all exploitable vulnerabilities will result in the same impact to the system.  A vulnerability of "1" (your scale not mine) can be severe if it is on a mission critical system where more aggressive attacks from more determined hackers are being launched and the success of the attack will have a severe and significant impact on the system or operations of an organization which may reach beyond just the camera system.

We as an industry need to take information security more seriously.  There are some manufacturers who are knowingly allowing common vulnerabilities and exposures either because they don't want to invest the money in properly hardening their devices or they are responding to customer requests to exchange convenience for security.  I have unfortunately encountered integrators and end users who complain about the challenges of implementing very robust IT security in their network.  In addition, a highly secure network requires constant maintenance and upkeep as new CVE's are discovered not only with the devices but with the computing and network systems that they are attached to.

We have not heard the last of these vulnerabilities and they will continue to plague our industry.  The real questions for those who appreciate and desire strong IT security are, is how pro-active your vendor is being with their information security and how quickly do they react when a vulnerability is discovered?

Keep up the good work in reporting this information as awareness is the first step to providing a more secure system, but unfortunately, the bad guys are always looking for ways in and sooner or later they will probably find one. 

John Honovich

IPVM | In reply to Undisclosed Manufacturer #3 | 03/27/17 02:07pm

Your presumption that certain vulnerabilities are worse than others (a scale of 1 to 10) presumes that all exploitable vulnerabilities will result in the same impact to the system.

No, my point is that some vulnerabilities are much easier to exploit than others. The Dahua vulnerability will result in large scale exploits, guaranteed. This Axis one, if it even results in 1 exploit, would be amazing given how hard it is to use.

Avatar

Jon Dillabaugh

Pro Focus LLC | In reply to John Honovich | 03/27/17 02:14pm

My point is that neither would matter if they were properly quarantined in a segregated network. 

Avatar

Brian Karas

IPVM | In reply to Jon Dillabaugh | 03/27/17 02:19pm

Jon -

Do your customers ask for remote access to their systems? If so, what is your method for keeping everything quarantined and segregated, and also allowing customer access? 

Avatar

Jon Dillabaugh

Pro Focus LLC | In reply to Brian Karas | 03/27/17 02:27pm

Dual NICs in the VMS server  with a single port forward for the VMS only. We usually have remote access to the server via Splashtop Streamer using two factor authentication. The second NIC and the cameras are on a non-Internet facing network. Soon, we won't need the port forward for remote viewing. 

Undisclosed Manufacturer #3

03/27/17 02:39pm

My point is that both matter if they are exploited.  I guess my concern is the attitude that "well it is hard for someone to exploit so it is no big deal."  Perhaps I am reading something into this that wasn't meant.  As an IT security professional, the risk of a CVE isn't judged based on "how hard" it is to exploit it is judged on what damage can be done by exploiting it.   My concern is the disconnect between our industry and network security professionals.  I guess I am objecting to the premise of the question.  if we want to rate a vulnerability we need to do so based on what damage can be done.  For example, if a vulnerability allows someone with special expertise to change the date/time of a camera, that might be considered a low risk.  if the vulnerability can be used to launch a more serious attack on the network, delete data or launch a DoS attack for example,  that is a more serious exposure regardless of how hard it is for someone to do. 

 

John Honovich

IPVM | In reply to Undisclosed Manufacturer #3 | 03/27/17 02:45pm

regardless of how hard it is for someone to do.

How hard something is certainly impacts proper security planning. If two things have the same potential impact, but one takes a miracle to do and the other a child can do, the later one is much more of a risk. Agree/disagree?

Wade Pinnell

03/28/17 04:56am

Agree!

John, you are correct to focus on  the vulnerabilities of hardware. Any responsible End-User will base their overall cyber-security programs on a Risk Management approach.  It is the only practical  way to administrate security.  

Risk is a factor of the Threat (who is attacking), the Vulnerabilities in the system and the Consequence of an attack.  While a bit simplified, this is the general equation. Some Risk methodologies are volumes long and mathematically complex processes.  

Customers rarely provide enough details on Consequences to their business or the Threats they need, or are willing to, protect against. Add to this equation, that most integrators don't possess the qualified consultative assets to conduct a comprehensive Risk Management Study  

So in the end, your premise is correct.  Lowering the vulnerability in hardware may be the only practical step an integrator can unilaterally deliver to a customer. 

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

'Severe Impact' Mercury Security 2020 Leap Year Firmware Issue on Jan 17, 2020
One of the largest access controller manufacturers has a big problem: February 29th. Mercury Security, owned by HID, is alerting partners of the...
Apple Acquires XNOR.ai, Loss For The Industry on Jan 16, 2020
Apple has acquired XNOR.ai for $200 million, reports GeekWire. This is a loss for the video surveillance industry. XNOR.ai stunned the industry...
Installation Course January 2020 - Last Chance on Jan 16, 2020
Thursday, January 16th is your last chance to register for the Winter 2020 Video Surveillance Installation Course. This is a unique installation...
Halo Smart Vape Detector Tested on Jan 16, 2020
The Halo Smart Sensor claims to detect vaping, including popular brand Juul and even THC vapes. But how well does it work in real world...
PRC Government Entity Now Controlling Shareholder of Infinova / March Networks on Jan 16, 2020
A PRC government entity is now the controlling shareholder of US security manufacturer Infinova as well as its wholly-owned subsidiary March...
Network Cabling for Video Surveillance on Jan 15, 2020
In this guide, we explain the fundamentals of network cabling for video surveillance networks, how they should be installed, and the differences in...
ONVIF Trashed Statement, Confirms Dahua and Hikvision Still Suspended on Jan 15, 2020
ONVIF has 'trashed' the suspension statement for Dahua, Hikvision, Huawei, etc. but confirms to IPVM that those companies are all still...
Wyze Smart Door Lock Test on Jan 14, 2020
Wyze's inexpensive cameras have grabbed the attention of many in the consumer market, but can the company's new smart lock get similar...
Wesco Wins Anixter on Jan 13, 2020
Despite Anixter earlier arguing that Wesco's bid was inferior to CD&R's by nearly 10%, Anixter confirmed that they are taking Wesco's 3.1%...
Anixter Resisting Takeover From Competitor, Bidding War Emerges, Wesco Wins on Jan 13, 2020
Mega distributor Anixter is going to be acquired but by whom? Initially, Anixter planned to go private, being bought by a private equity firm....

What IPVM Is

The world's leading authority on video surveillance, with 200,000+ visits monthly.

  • Articles on cameras, video analytics, VMS, and trends
  • Tests showing actual performance and problems
  • Courses in surveillance, access control, etc
  • Camera Calculator for designing systems

Dedicated To Independence

We're dedicated to staying independent and objective. We're the only industry source to refuse any and all advertisements, sponsorship, and consulting from manufacturers. Why?