Axis Camera Vulnerabilities From Google Researcher Analyzed

Author: Brian Karas, Published on Mar 23, 2017

A Google security researcher has reported 6 vulnerabilities for Axis cameras, affecting multiple models and firmware versions.

In this report, we examine these vulnerabilities, potential for exploit, and the practical risk of them.

* ****** ******** ********** *** ******** * *************** *** **** cameras, ********* ******** ****** *** ******** ********.

** **** ******, ** ******* ***** ***************, ********* *** *******, and *** ********* **** ** ****.

[***************]

Vulnerabilities ********

* **** ** *** **** ********** ******* ***** *** ********* 6 ***************:

******: ** *****-**** ******* ******* ***********

******: ****** ****** ****** *** ***

******: *** ******** *** ** ****

******: ****** ****** ******** ****** *** ********* ***** ** **** on ********** **** ******

******: **** ****** .*** ******* *** ******** *******

******: ********* ** ******* *** **** *********

**** *** **** ****** ***** ********** ** ***** ***************** ************ ************.

Key ******** / *******

*** **** ** ** ******** ************ ***** ***** *************** ** extremely ***.

** ****** ***** ******* *** **** ** *** ********* ******** to ** ***:

  • ******** ** **** ** ***** * **** **** ******** * malicious **** ** ** ***** ** ** * *******, ***** calls * ****** ** *** ******
  • ******** ***** *** ******** ** ******* ** ******** ** * vulnerable ******* ** ******* ** ***** ** *******
  • *** **** ****** ** **** **** ***** ****** **** ***** cameras ******** ** *** **** *** ******* *** **** ** clicked **
  • *** ******* *** ** ******** ***** ** *.*.* **** ***** started ******** * ***** ***, ** ***** ****

********* *** **** ** *** ***** ** **** *** ****** researcher ********* ** *** ******* ** '********' *** ******. *******, this ** ****** **** *********** *** ********* ** ******* **** the***** ********, ***** ****** *** *** ******** ******* ** * ********** device *** ******** **.

************, *** ************ ******** ***** ********* ***** ** ******** ** gaining ****** ** * **** ******* ****** ** *******, ** any, ******** *** ******* ** **** ***** **** *** ***** attacks.

*** ******* ** ******* *** *** ********** ** **** *******, so ***** ** ** **** ** ******** * ********* **** while ****** **** * *** **** *** ***** ****** ** a ******.

Affects ******** ***** ** *.**

**** **** ******** ******** ***** ** *.** *** * ********* and ************* **** ***** **** **********. ***** ******* ***** ******** should******** ******* ******** **** ****' ******* ******* *** *** ** **** *******. ***** **** ****** have ***** ******** *********, ***** *** ***** * **** ***** of ******* *** ***** ******* ******** ** *** *********.

** ** ******** ****** ** *********, ***** ***** ** ******* to ******** *** *** ** ******** ** ****** *** ******, use * ******* ***** **** *** ******* ******* **** ***** so, *** ***** ******* ****** ** ******** ***** ** *******/********* sites **** ****** **** *** *******.

CSRF ******* - *** ** *************

***** *************** ******* ****** ***** ***************. ** *****, **** ******* **** ** * **** ***** logged **** * ******'* *** ********* *** **** ******* *** user ** ***** * **** **** ********** ** * ******** command ** *** ******. *** **** ** ***** ********* ** something ****, **** ** * **** ** ** ***** ***** the **** **** "***** **** ** ***** **** *******", *** the *** *********** ** * ******* ** *** ****** (**: http://192.168.1.50/cgi-bin/commnd.cgi).

*** ***** ***** ******** * **** **** ***** ******** ** CSRF:

******* *** **** ******* *** ****** ** *** ******, *** local *******, ***, ** **** ***** *****, *** ******** **** not **** ******** ****** ****** ** *** ******, **** **** need ** ***** *** **** **** ******** * **** **** a ********* ******* ***.

CSRF **********

**** ******* *** ********* ** ********* * ******* ***** ** part ** *** *******. *** ***** ** * **** ****** generated ** *** ******, *** **** ** *** ****** ** include **** *** *******, ***** ***** **** *** "****://***.***.*.**/***-***/******.***" ******* **** **** "****://***.***.*.**/***-***/******.***?*****=***********". ** * **** ***********, *** ***** ** **** ******, making ** *********** ********** *** ** ******** ** ***** *** include **** ***** ********* ****.

VAPIX ******** **** ***** ***

********* ** ****, ***** ***** *** ** *** ********** **** CSRF ******, ***** ******** **** **** ***** **** ********* ** prevent **** *******.

Axis **** ****** - ********* ***

**** ******** * *****-** **** ****** ** ***** *******, ** make ** ****** *** ***** ** **** ****** ***** ** other **** ***** ** *** ******. **** **** ****** ** called ** *** *********, ***** **** ** **** ** ******** cameras, ****** ** *** ********* ** ******** ** ********* *** file ** *** ******.

**** **** **** ****** **** ** ******* ** * ****** release ** ******* ****** ******* *********.

Comments (19)

Undisclosed #1

03/24/17 08:37pm

***********. **** ****** ** ***** ***** ******** ** ** **** a ********** ***** **** ** * **** *******? ** **** possibly ******* ** ********** ** **** ********** **** ****?

Undisclosed End User #2

In reply to Undisclosed Integrator #1 | 03/27/17 01:01pm

* ******* *** ******** ** **** ***** *** "******* ****" program.

Thumbnail profile

Michael Gonzalez

03/24/17 09:07pm

********* *********** *** *******, ******. ** ** *'* ******* **** correctly, ** ** **** ** ****** **** **** ** ******* is ******** **** **** ******** **** *** ****** ******* ** logically ********** **** *** ********/******** ********* *******?

Thumbnail brk1

Brian Karas

IPVM | In reply to Michael Gonzalez | 03/24/17 09:24pm

** ** **** ** ****** **** **** ** ******* ** rendered **** **** ******** **** *** ****** ******* ** ********* segregated **** *** ********/******** ********* *******?

*** ******. ** ** ******** *** ****** *** ******* *** a *******, ** ***** *** ****** ** **** *** *****, remote, ********** ** ***.

**** ** **** ***** **** **** ** ****** ********* ** that *** ********, *** ** ** **** **** ********** **** to ****** *** ******** ** ******* ***** *** ****** *** camera ******* ******* * **** ** "*****" *** *** ********. The ******** *** *** ****** *** ******* ********, *** **** send * ********* ** *** ******** *** *** ****** *** cameras, *** **** **** **** ** *******, *** ******* *** compromised.

*****, ** ** ***** ********** **** ***** ******** *** ******** to **** *** ** ******* ** * ********** ******, *** get *** ******** ** ***** * ********* ********* **** **** goes ** **** ******, ***** *** ******** ** ******* ****** into *** *** *********.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | 03/27/17 12:10am

***'* ******* ****** ***** **** ***** ********** *******.

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/27/17 12:21am

***'* ******* ****** ***** **** ***** ********** *******.

***, ****** **** * ********* *******, *** *** ***** ********* of ******** ********* ** *** **********?

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to John Honovich | 03/27/17 12:42pm

* *** **** ****** * ******* ******* ** **** * see ***** **** ***** ** * ***/***** ************* *********. ***, it *** ******* *** ****'* *******, ****** ******** *** *** absurdity ** *** ******* ******.

** ***** ** ***% ****. *** ****. *** ****. *** Hikvision. *** **** *** *****. **** *** *** ****** **** others. **** **** ****** ******* *** ** *** ********** ** their ******** *** *** **** ****** ** ******** ********.

**** **** **** **** ** ** ****** **** *** ***'* trust *** *** ****** ******** *** **** **** ** ********** to *** ******** ****** ********.

****** *** ****** ** ***** ********** ***** ** ****** ********** zero *************** ** ******* ** ** **. ***** ****** ********** and *** **** **** **** ************ ******** ** ****** ***** vulnerabilities *** ********* ** **** ** ********.

Thumbnail brk1

Brian Karas

IPVM | In reply to Jon Dillabaugh | 03/27/17 12:50pm

*** -

*** ** ********* **** ***** ** * ***** ****** ** difference ******* **** ************* ** *** **** *******, *** *** recent ***** *** ********* ***************, *****?

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Brian Karas | 03/27/17 01:01pm

**** *** ** **** ***********, *** ** ** * ************* is * ************* ** * ***** ******. ****, **** **** allow *** ** **** ** ************ **** ** ********* **** less ********* **** **** ****** ** *** **. *** ** be ********** *****, ***** ******* *******'* **** *** ******** ***. Even ** *** *** ****** ** **** *** **** *****, you ***'* ****** *** **** ********.

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/27/17 01:24pm

*** ** ** * ************* ** * ************* ** * great ******.

*** ***************, **** '*********' *** '******' *** **** ******* ** their ************.

** * ***** ** * - **, ****** **** *** above **** ************* ** *** ***** ************* **** **** *****.

*'** ** *****: ***** ** * ** ***** **'* ** easy ** **. **** ** * * ***** ** ******** a *********** ** ****** ********** ***** ** ****.

**** ****, ***. ****** **** **** ** * ***** ** 1 ** **.

Undisclosed Manufacturer #4

In reply to Jon Dillabaugh | 03/27/17 03:34pm

* ************* ** * *************? ****'* **** *****. ** *** actually ******* ****, **** ** ***** **** **** **********. ** survive ** ****** ********** *****.

* ****** **** *** **** *** **** **** ** *****-******* transportation *****. *** **** **** * ***** ****! *****'* *** seen *** ******** ********* ** *** **** ** *** **?

***'* ** **** ***** ** **** **********. *** ****!

****** **, **** **** ****!

Undisclosed Manufacturer #3

03/27/17 01:58pm

* ************* ** * *************. *** *** *** ******* ** the ******* ******* **** ******* ** "********" ** ***, *** become * ****** ** * ******* ******.

** ** *** "**** ****" **** ******* *** ******* **** any *** *** ******** **********. *** *** "*** ****" **** only **** ** **** *** ******** ** *******, ** *** advantage **** ****** ** **** *** *** ****.

**** *********** **** ******* *************** *** ***** **** ****** (* scale ** * ** **) ******** **** *** *********** *************** will ****** ** *** **** ****** ** *** ******. * vulnerability ** "*" (**** ***** *** ****) *** ** ****** if ** ** ** * ******* ******** ****** ***** **** aggressive ******* **** **** ********** ******* *** ***** ******** *** the ******* ** *** ****** **** **** * ****** *** significant ****** ** *** ****** ** ********** ** ** ************ which *** ***** ****** **** *** ****** ******.

** ** ** ******** **** ** **** *********** ******** **** seriously. ***** *** **** ************* *** *** ********* ******** ****** vulnerabilities *** ********* ****** ******* **** ***'* **** ** ****** the ***** ** ******** ********* ***** ******* ** **** *** responding ** ******** ******** ** ******** *********** *** ********. * have ************* *********** *********** *** *** ***** *** ******** ***** the ********** ** ************ **** ****** ** ******** ** ***** network. ** ********, * ****** ****** ******* ******** ******** *********** and ****** ** *** ***'* *** ********** *** **** **** the ******* *** **** *** ********* *** ******* ******* **** they *** ******** **.

** **** *** ***** *** **** ** ***** *************** *** they **** ******** ** ****** *** ********. *** **** ********* for ***** *** ********** *** ****** ****** ** ******** ***, is *** ***-****** **** ****** ** ***** **** ***** *********** security *** *** ******* ** **** ***** **** * ************* is **********?

**** ** *** **** **** ** ********* **** *********** ** awareness ** *** ***** **** ** ********* * **** ****** system, *** *************, *** *** **** *** ****** ******* *** ways ** *** ****** ** ***** **** **** ******** **** one.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #3 | 03/27/17 02:07pm

**** *********** **** ******* *************** *** ***** **** ****** (* scale ** * ** **) ******** **** *** *********** *************** will ****** ** *** **** ****** ** *** ******.

**, ** ***** ** **** **** *************** *** **** ****** to ******* **** ******. *** ***** ************* **** ****** ** large ***** ********, **********. **** **** ***, ** ** **** results ** * *******, ***** ** ******* ***** *** **** it ** ** ***.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to John Honovich | 03/27/17 02:14pm

** ***** ** **** ******* ***** ****** ** **** **** properly *********** ** * ********** *******.

Thumbnail brk1

Brian Karas

IPVM | In reply to Jon Dillabaugh | 03/27/17 02:19pm

*** -

** **** ********* *** *** ****** ****** ** ***** *******? If **, **** ** **** ****** *** ******* ********** *********** and **********, *** **** ******** ******** ******?

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Brian Karas | 03/27/17 02:27pm

**** **** ** *** *** ****** **** * ****** **** forward *** *** *** ****. ** ******* **** ****** ****** to *** ****** *** ********* ******** ***** *** ****** **************. The ****** *** *** *** ******* *** ** * ***-******** facing *******. ****, ** ***'* **** *** **** ******* *** remote *******.

Undisclosed Manufacturer #3

03/27/17 02:39pm

** ***** ** **** **** ****** ** **** *** *********. I ***** ** ******* ** *** ******** **** "**** ** is **** *** ******* ** ******* ** ** ** ** big ****." ******* * ** ******* ********* **** **** **** wasn't *****. ** ** ** ******** ************, *** **** ** a *** ***'* ****** ***** ** "*** ****" ** ** to ******* ** ** ****** ** **** ****** *** ** done ** ********** **. ** ******* ** *** ********** ******* our ******** *** ******* ******** *************. * ***** * ** objecting ** *** ******* ** *** ********. ** ** **** to **** * ************* ** **** ** ** ** ***** on **** ****** *** ** ****. *** *******, ** * vulnerability ****** ******* **** ******* ********* ** ****** *** ****/**** of * ******, **** ***** ** ********** * *** ****. if *** ************* *** ** **** ** ****** * **** serious ****** ** *** *******, ****** **** ** ****** * DoS ****** *** *******, **** ** * **** ******* ******** regardless ** *** **** ** ** *** ******* ** **.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #3 | 03/27/17 02:45pm

********** ** *** **** ** ** *** ******* ** **.

*** **** ********* ** ********* ******* ****** ******** ********. ** two ****** **** *** **** ********* ******, *** *** ***** a ******* ** ** *** *** ***** * ***** *** do, *** ***** *** ** **** **** ** * ****. Agree/disagree?

Wade Pinnell

03/28/17 04:56am

*****!

****, *** *** ******* ** ***** ** *** *************** ** hardware. *** *********** ***-**** **** **** ***** ******* *****-******** ******** on * **** ********** ********. ** ** *** **** ********* way ** ************ ********.

**** ** * ****** ** *** ****** (*** ** *********), the *************** ** *** ****** *** *** *********** ** ** attack. ***** * *** **********, **** ** *** ******* ********. Some **** ************* *** ******* **** *** ************** ******* *********.

********* ****** ******* ****** ******* ** ************ ** ***** ******** or *** ******* **** ****, ** *** ******* **, ******* against. *** ** **** ********, **** **** *********** ***'* ******* the ********* ************ ****** ** ******* * ************* **** ********** Study

** ** *** ***, **** ******* ** *******. ******** *** vulnerability ** ******** *** ** *** **** ********* **** ** integrator *** ************ ******* ** * ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on VMS

Magos Radar Company Profile on Nov 12, 2018
Magos America General Manager Yaron Zussman admits when he first came across Magos, he asked himself: "What's innovative about radar?" Be that as...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Dahua Dual Imager Dome Camera Tested (HDBW4231FN-E2-M) on Nov 07, 2018
Dahua has introduced a dual-imager dome model, the HDBW4231FN-E2-M, with two independently positionable sensors including integrated IR, not found...
Avigilon Opens Up Analytics And Cameras on Nov 06, 2018
Avigilon is opening up. The company historically famous for advocating its own end-to-end solutions and making it harder for 3rd parties to...
Worst Products on Nov 03, 2018
Security integrators periodically report on their favorite and worst products to IPVM. These are known integrators who IPVM pays to answer surveys....
Unisight Company Profile on Nov 01, 2018
Hikvision's largest US OEM, LTS has started to carry Unisight, whose products (shown below) look a lot like Hikvision's rival Dahua: Who is...
VMS Camera Management Shootout - Avigilon, Dahua, Exacq, Genetec, Hanwha, Hikvision, Milestone, Network Optix on Oct 29, 2018
Camera setup, configuration and maintenance are the most common tasks when managing a surveillance system. Who does it best and worst? Who offers...
Axxon Face Search Tested on Oct 26, 2018
AxxonSoft has brought facial recognition to their Axxon Next VMS for free with the simply named Face Search, claiming to allow users to find...
Exacq Co-Founders Return, Start Qumulex on Oct 24, 2018
Exacq co-founders Dan Rittman, Tom Buckley, and David Underwood are back, starting up Qumulex. In 2000, they sold Integral to Andover...
Geutebruck Company Profile on Oct 22, 2018
Geutebrück has been in business for nearly 50 years, but they are not well known within the US surveillance market. In this report, we profile...

Most Recent Industry Reports

Integrator Credit Card Alternative Divvy on Nov 13, 2018
Most security integrators are small businesses but large enough that they have various employees that need to be able to expense various charges as...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...
Magos Radar Company Profile on Nov 12, 2018
Magos America General Manager Yaron Zussman admits when he first came across Magos, he asked himself: "What's innovative about radar?" Be that as...
Genetec Privacy Protector Tested on Nov 12, 2018
Genetec has built Kiwi Security's Privacy Protector into Security Center, an analytic which anonymizes individuals in cameras' fields of view...
Chinese Government Increases Hikvision Ownership on Nov 12, 2018
The Chinese government - Hikvision's controlling shareholder - is increasing its ownership of the video surveillance giant amid sharp stock price...
Axis: "No One Wants To Buy A Camera" on Nov 09, 2018
Axis has, in its own description, made a bold declaration: The industry is changing so rapidly that the following statement might seem bold but...
Video Surveillance Hard Drive Size Statistics 2018 on Nov 08, 2018
What is the most common hard drive size for video surveillance? 150+ integrators answered: What size hard drive do you most commonly use? What...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact