Axis Camera Vulnerabilities From Google Researcher Analyzed

Author: Brian Karas, Published on Mar 23, 2017

A Google security researcher has reported 6 vulnerabilities for Axis cameras, affecting multiple models and firmware versions.

In this report, we examine these vulnerabilities, potential for exploit, and the practical risk of them.

* ****** ******** ********** *** ******** * *************** *** **** cameras, ********* ******** ****** *** ******** ********.

** **** ******, ** ******* ***** ***************, ********* *** *******, and *** ********* **** ** ****.

[***************]

Vulnerabilities ********

* **** ** *** **** ********** ******* ***** *** ********* 6 ***************:

******: ** *****-**** ******* ******* ***********

******: ****** ****** ****** *** ***

******: *** ******** *** ** ****

******: ****** ****** ******** ****** *** ********* ***** ** **** on ********** **** ******

******: **** ****** .*** ******* *** ******** *******

******: ********* ** ******* *** **** *********

**** *** **** ****** ***** ********** ** ***** ***************** ************ ************.

Key ******** / *******

*** **** ** ** ******** ************ ***** ***** *************** ** extremely ***.

** ****** ***** ******* *** **** ** *** ********* ******** to ** ***:

  • ******** ** **** ** ***** * **** **** ******** * malicious **** ** ** ***** ** ** * *******, ***** calls * ****** ** *** ******
  • ******** ***** *** ******** ** ******* ** ******** ** * vulnerable ******* ** ******* ** ***** ** *******
  • *** **** ****** ** **** **** ***** ****** **** ***** cameras ******** ** *** **** *** ******* *** **** ** clicked **
  • *** ******* *** ** ******** ***** ** *.*.* **** ***** started ******** * ***** ***, ** ***** ****

********* *** **** ** *** ***** ** **** *** ****** researcher ********* ** *** ******* ** '********' *** ******. *******, this ** ****** **** *********** *** ********* ** ******* **** the***** ********, ***** ****** *** *** ******** ******* ** * ********** device *** ******** **.

************, *** ************ ******** ***** ********* ***** ** ******** ** gaining ****** ** * **** ******* ****** ** *******, ** any, ******** *** ******* ** **** ***** **** *** ***** attacks.

*** ******* ** ******* *** *** ********** ** **** *******, so ***** ** ** **** ** ******** * ********* **** while ****** **** * *** **** *** ***** ****** ** a ******.

Affects ******** ***** ** *.**

**** **** ******** ******** ***** ** *.** *** * ********* and ************* **** ***** **** **********. ***** ******* ***** ******** should******** ******* ******** **** ****' ******* ******* *** *** ** **** *******. ***** **** ****** have ***** ******** *********, ***** *** ***** * **** ***** of ******* *** ***** ******* ******** ** *** *********.

** ** ******** ****** ** *********, ***** ***** ** ******* to ******** *** *** ** ******** ** ****** *** ******, use * ******* ***** **** *** ******* ******* **** ***** so, *** ***** ******* ****** ** ******** ***** ** *******/********* sites **** ****** **** *** *******.

CSRF ******* - *** ** *************

***** *************** ******* ****** ***** ***************. ** *****, **** ******* **** ** * **** ***** logged **** * ******'* *** ********* *** **** ******* *** user ** ***** * **** **** ********** ** * ******** command ** *** ******. *** **** ** ***** ********* ** something ****, **** ** * **** ** ** ***** ***** the **** **** "***** **** ** ***** **** *******", *** the *** *********** ** * ******* ** *** ****** (**: http://192.168.1.50/cgi-bin/commnd.cgi).

*** ***** ***** ******** * **** **** ***** ******** ** CSRF:

******* *** **** ******* *** ****** ** *** ******, *** local *******, ***, ** **** ***** *****, *** ******** **** not **** ******** ****** ****** ** *** ******, **** **** need ** ***** *** **** **** ******** * **** **** a ********* ******* ***.

CSRF **********

**** ******* *** ********* ** ********* * ******* ***** ** part ** *** *******. *** ***** ** * **** ****** generated ** *** ******, *** **** ** *** ****** ** include **** *** *******, ***** ***** **** *** "****://***.***.*.**/***-***/******.***" ******* **** **** "****://***.***.*.**/***-***/******.***?*****=***********". ** * **** ***********, *** ***** ** **** ******, making ** *********** ********** *** ** ******** ** ***** *** include **** ***** ********* ****.

VAPIX ******** **** ***** ***

********* ** ****, ***** ***** *** ** *** ********** **** CSRF ******, ***** ******** **** **** ***** **** ********* ** prevent **** *******.

Axis **** ****** - ********* ***

**** ******** * *****-** **** ****** ** ***** *******, ** make ** ****** *** ***** ** **** ****** ***** ** other **** ***** ** *** ******. **** **** ****** ** called ** *** *********, ***** **** ** **** ** ******** cameras, ****** ** *** ********* ** ******** ** ********* *** file ** *** ******.

**** **** **** ****** **** ** ******* ** * ****** release ** ******* ****** ******* *********.

Comments (19)

Undisclosed #1

03/24/17 08:37pm

***********. **** ****** ** ***** ***** ******** ** ** **** a ********** ***** **** ** * **** *******? ** **** possibly ******* ** ********** ** **** ********** **** ****?

Undisclosed End User #2

In reply to Undisclosed Integrator #1 | 03/27/17 01:01pm

* ******* *** ******** ** **** ***** *** "******* ****" program.

Thumbnail profile

Michael Gonzalez

03/24/17 09:07pm

********* *********** *** *******, ******. ** ** *'* ******* **** correctly, ** ** **** ** ****** **** **** ** ******* is ******** **** **** ******** **** *** ****** ******* ** logically ********** **** *** ********/******** ********* *******?

Thumbnail brk1

Brian Karas

IPVM | In reply to Michael Gonzalez | 03/24/17 09:24pm

** ** **** ** ****** **** **** ** ******* ** rendered **** **** ******** **** *** ****** ******* ** ********* segregated **** *** ********/******** ********* *******?

*** ******. ** ** ******** *** ****** *** ******* *** a *******, ** ***** *** ****** ** **** *** *****, remote, ********** ** ***.

**** ** **** ***** **** **** ** ****** ********* ** that *** ********, *** ** ** **** **** ********** **** to ****** *** ******** ** ******* ***** *** ****** *** camera ******* ******* * **** ** "*****" *** *** ********. The ******** *** *** ****** *** ******* ********, *** **** send * ********* ** *** ******** *** *** ****** *** cameras, *** **** **** **** ** *******, *** ******* *** compromised.

*****, ** ** ***** ********** **** ***** ******** *** ******** to **** *** ** ******* ** * ********** ******, *** get *** ******** ** ***** * ********* ********* **** **** goes ** **** ******, ***** *** ******** ** ******* ****** into *** *** *********.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | 03/27/17 12:10am

***'* ******* ****** ***** **** ***** ********** *******.

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/27/17 12:21am

***'* ******* ****** ***** **** ***** ********** *******.

***, ****** **** * ********* *******, *** *** ***** ********* of ******** ********* ** *** **********?

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to John Honovich | 03/27/17 12:42pm

* *** **** ****** * ******* ******* ** **** * see ***** **** ***** ** * ***/***** ************* *********. ***, it *** ******* *** ****'* *******, ****** ******** *** *** absurdity ** *** ******* ******.

** ***** ** ***% ****. *** ****. *** ****. *** Hikvision. *** **** *** *****. **** *** *** ****** **** others. **** **** ****** ******* *** ** *** ********** ** their ******** *** *** **** ****** ** ******** ********.

**** **** **** **** ** ** ****** **** *** ***'* trust *** *** ****** ******** *** **** **** ** ********** to *** ******** ****** ********.

****** *** ****** ** ***** ********** ***** ** ****** ********** zero *************** ** ******* ** ** **. ***** ****** ********** and *** **** **** **** ************ ******** ** ****** ***** vulnerabilities *** ********* ** **** ** ********.

Thumbnail brk1

Brian Karas

IPVM | In reply to Jon Dillabaugh | 03/27/17 12:50pm

*** -

*** ** ********* **** ***** ** * ***** ****** ** difference ******* **** ************* ** *** **** *******, *** *** recent ***** *** ********* ***************, *****?

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Brian Karas | 03/27/17 01:01pm

**** *** ** **** ***********, *** ** ** * ************* is * ************* ** * ***** ******. ****, **** **** allow *** ** **** ** ************ **** ** ********* **** less ********* **** **** ****** ** *** **. *** ** be ********** *****, ***** ******* *******'* **** *** ******** ***. Even ** *** *** ****** ** **** *** **** *****, you ***'* ****** *** **** ********.

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/27/17 01:24pm

*** ** ** * ************* ** * ************* ** * great ******.

*** ***************, **** '*********' *** '******' *** **** ******* ** their ************.

** * ***** ** * - **, ****** **** *** above **** ************* ** *** ***** ************* **** **** *****.

*'** ** *****: ***** ** * ** ***** **'* ** easy ** **. **** ** * * ***** ** ******** a *********** ** ****** ********** ***** ** ****.

**** ****, ***. ****** **** **** ** * ***** ** 1 ** **.

Undisclosed Manufacturer #4

In reply to Jon Dillabaugh | 03/27/17 03:34pm

* ************* ** * *************? ****'* **** *****. ** *** actually ******* ****, **** ** ***** **** **** **********. ** survive ** ****** ********** *****.

* ****** **** *** **** *** **** **** ** *****-******* transportation *****. *** **** **** * ***** ****! *****'* *** seen *** ******** ********* ** *** **** ** *** **?

***'* ** **** ***** ** **** **********. *** ****!

****** **, **** **** ****!

Undisclosed Manufacturer #3

03/27/17 01:58pm

* ************* ** * *************. *** *** *** ******* ** the ******* ******* **** ******* ** "********" ** ***, *** become * ****** ** * ******* ******.

** ** *** "**** ****" **** ******* *** ******* **** any *** *** ******** **********. *** *** "*** ****" **** only **** ** **** *** ******** ** *******, ** *** advantage **** ****** ** **** *** *** ****.

**** *********** **** ******* *************** *** ***** **** ****** (* scale ** * ** **) ******** **** *** *********** *************** will ****** ** *** **** ****** ** *** ******. * vulnerability ** "*" (**** ***** *** ****) *** ** ****** if ** ** ** * ******* ******** ****** ***** **** aggressive ******* **** **** ********** ******* *** ***** ******** *** the ******* ** *** ****** **** **** * ****** *** significant ****** ** *** ****** ** ********** ** ** ************ which *** ***** ****** **** *** ****** ******.

** ** ** ******** **** ** **** *********** ******** **** seriously. ***** *** **** ************* *** *** ********* ******** ****** vulnerabilities *** ********* ****** ******* **** ***'* **** ** ****** the ***** ** ******** ********* ***** ******* ** **** *** responding ** ******** ******** ** ******** *********** *** ********. * have ************* *********** *********** *** *** ***** *** ******** ***** the ********** ** ************ **** ****** ** ******** ** ***** network. ** ********, * ****** ****** ******* ******** ******** *********** and ****** ** *** ***'* *** ********** *** **** **** the ******* *** **** *** ********* *** ******* ******* **** they *** ******** **.

** **** *** ***** *** **** ** ***** *************** *** they **** ******** ** ****** *** ********. *** **** ********* for ***** *** ********** *** ****** ****** ** ******** ***, is *** ***-****** **** ****** ** ***** **** ***** *********** security *** *** ******* ** **** ***** **** * ************* is **********?

**** ** *** **** **** ** ********* **** *********** ** awareness ** *** ***** **** ** ********* * **** ****** system, *** *************, *** *** **** *** ****** ******* *** ways ** *** ****** ** ***** **** **** ******** **** one.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #3 | 03/27/17 02:07pm

**** *********** **** ******* *************** *** ***** **** ****** (* scale ** * ** **) ******** **** *** *********** *************** will ****** ** *** **** ****** ** *** ******.

**, ** ***** ** **** **** *************** *** **** ****** to ******* **** ******. *** ***** ************* **** ****** ** large ***** ********, **********. **** **** ***, ** ** **** results ** * *******, ***** ** ******* ***** *** **** it ** ** ***.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to John Honovich | 03/27/17 02:14pm

** ***** ** **** ******* ***** ****** ** **** **** properly *********** ** * ********** *******.

Thumbnail brk1

Brian Karas

IPVM | In reply to Jon Dillabaugh | 03/27/17 02:19pm

*** -

** **** ********* *** *** ****** ****** ** ***** *******? If **, **** ** **** ****** *** ******* ********** *********** and **********, *** **** ******** ******** ******?

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Brian Karas | 03/27/17 02:27pm

**** **** ** *** *** ****** **** * ****** **** forward *** *** *** ****. ** ******* **** ****** ****** to *** ****** *** ********* ******** ***** *** ****** **************. The ****** *** *** *** ******* *** ** * ***-******** facing *******. ****, ** ***'* **** *** **** ******* *** remote *******.

Undisclosed Manufacturer #3

03/27/17 02:39pm

** ***** ** **** **** ****** ** **** *** *********. I ***** ** ******* ** *** ******** **** "**** ** is **** *** ******* ** ******* ** ** ** ** big ****." ******* * ** ******* ********* **** **** **** wasn't *****. ** ** ** ******** ************, *** **** ** a *** ***'* ****** ***** ** "*** ****" ** ** to ******* ** ** ****** ** **** ****** *** ** done ** ********** **. ** ******* ** *** ********** ******* our ******** *** ******* ******** *************. * ***** * ** objecting ** *** ******* ** *** ********. ** ** **** to **** * ************* ** **** ** ** ** ***** on **** ****** *** ** ****. *** *******, ** * vulnerability ****** ******* **** ******* ********* ** ****** *** ****/**** of * ******, **** ***** ** ********** * *** ****. if *** ************* *** ** **** ** ****** * **** serious ****** ** *** *******, ****** **** ** ****** * DoS ****** *** *******, **** ** * **** ******* ******** regardless ** *** **** ** ** *** ******* ** **.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #3 | 03/27/17 02:45pm

********** ** *** **** ** ** *** ******* ** **.

*** **** ********* ** ********* ******* ****** ******** ********. ** two ****** **** *** **** ********* ******, *** *** ***** a ******* ** ** *** *** ***** * ***** *** do, *** ***** *** ** **** **** ** * ****. Agree/disagree?

Wade Pinnell

03/28/17 04:56am

*****!

****, *** *** ******* ** ***** ** *** *************** ** hardware. *** *********** ***-**** **** **** ***** ******* *****-******** ******** on * **** ********** ********. ** ** *** **** ********* way ** ************ ********.

**** ** * ****** ** *** ****** (*** ** *********), the *************** ** *** ****** *** *** *********** ** ** attack. ***** * *** **********, **** ** *** ******* ********. Some **** ************* *** ******* **** *** ************** ******* *********.

********* ****** ******* ****** ******* ** ************ ** ***** ******** or *** ******* **** ****, ** *** ******* **, ******* against. *** ** **** ********, **** **** *********** ***'* ******* the ********* ************ ****** ** ******* * ************* **** ********** Study

** ** *** ***, **** ******* ** *******. ******** *** vulnerability ** ******** *** ** *** **** ********* **** ** integrator *** ************ ******* ** * ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on VMS

Axis Perimeter Defender Video Analytics Tested on Jul 12, 2018
Axis 'high security' video analytics offering is Perimeter Defender, OEMed / developed with Digital Barriers. But how good is Perimeter Defender?...
Drops Dahua, Fenner Becomes ISS CMO on Jul 09, 2018
Hired to improve Dahua's miserable marketing just last year, Janet Fenner has quit Dahua, joining VMS manufacturer ISS as Chief Marketing...
UK VSaaS Startup Ocucon on Jul 03, 2018
Decreasing exposure to fraudulent slip-and-fall insurance claims and lawsuits is one of the oldest selling points of video surveillance for retail....
Digital Watchdog Low Cost 4MP Camera Tested on Jul 02, 2018
Based on member 4MP testing requests, we bought and tested Digital Watchdog's low-cost 4MP DWC-MTT4Wi to see how it performs in real world scenes,...
Panoramic Fisheye Camera Shootout - Avigilon, Axis, Dahua, Hanwha, Hikvision, Oncam And Vivotek on Jun 27, 2018
IPVM tested Avigilon, Axis, Dahua, Hanwha, Hikvision, Oncam And Vivotek 12MP panoramic fisheye cameras head to head, as shown in the test setup...
Snap Surveillance Profile on Jun 26, 2018
There are not a lot of video surveillance companies that survive 9 years with only one feature that makes their product stand out. In the case of...
OpenEye Apex VMS Tested on Jun 26, 2018
OpenEye is a US company, founded nearly 20 years ago. In the past few years, OpenEye has been one of a few VMS providers that have pivoted to being...
Most Wanted Improvements In Manufacturer Technical Support (Statistics) on Jun 21, 2018
5 key areas of improvement and 1 clear wanted support feature were voiced by 140+ integrator responses to: What improvement in manufacturer...
Axis Guardian - Cloud VMS And Alarm Monitoring - Released on Jun 19, 2018
Axis has struggled to deliver a cloud-based managed service video platform. Video service providers have utilized AVHS for over a decade, and have...
ReconaSense - The AI / Access Control / Analytics / IoT / Video Company Profile on Jun 12, 2018
One company's ISC West booth stood out for displaying a light-up tower of buzzwords. The company, ReconaSense, pledged to be 'making sense of it...

Most Recent Industry Reports

Security Sales Course Summer 2018 on Jul 13, 2018
Based on member's interest, IPVM is offering a security sales course this summer. Register Now - IPVM Security Sales Course Summer 2018 This...
US Tariffs Hit China Video Surveillance on Jul 13, 2018
Chinese video surveillance products avoided tariffs for the first two rounds. Now, in the third round, many video surveillance products will be...
Last Chance - July 2018 IP Networking Course on Jul 12, 2018
Registration ends today, Thursday. Register now. This is the only networking course designed specifically for video surveillance...
4 Most Difficult Camera Installs (Statistics) on Jul 12, 2018
Heavy housings, cumbersome brackets, heavy ladders required, and tricky field of view requirements will cause difficulties no matter the camera...
Axis Perimeter Defender Video Analytics Tested on Jul 12, 2018
Axis 'high security' video analytics offering is Perimeter Defender, OEMed / developed with Digital Barriers. But how good is Perimeter Defender?...
Hikvision Fights Ban - Claims 'Red Scare', Hires 14 Term Ex-Congressman on Jul 11, 2018
Hikvision is fighting back against the House Bill Ban of their products. Hikvision has hired one of the biggest lobbying firms, led by a 14 term...
Arecont Acquisition By Costar on Jul 11, 2018
Arecont Vision acquisition by Costar Technologies has been approved by the court, concluding the bankruptcy process triggered by Arecont's...
Amazon Ring Partners With Rapid Response For $10 Monitoring on Jul 10, 2018
Amazon's Ring alarm system is using Rapid Response for monitoring, IPVM has confirmed in our testing. Amazon is arguably the most feared new...
SIA Lobbyists Working On House Bill Ban of Dahua and Hikvision on Jul 10, 2018
While SIA is most known for ISC West, SIA maintains the industry's most significant lobbying organization to influence US government action. Last...
Eastern and SavvyTech Merge, Form ENS, Targets ADI on Jul 09, 2018
ADI, ENS is coming for you. Or, at least, they hope. Two US distributors, NY based EasternCCTV and California based SavvyTech have merged, to...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact