Axis Exploit Allows Changing Camera Root Password Confirmed

Author: John Honovich, Published on Aug 02, 2016

IPVM has confirmed that using the Axis remote format string vulnerability, an attacker can easily change the root password of the camera, taking control of the entire camera and blocking out the legitimate user. This was submitted to IPVM last week.

This is in addition to the already severe unauthorized remote root access that we tested and verified recently.

How To

All that needs to be done is call a script with the replacement password and the password is changed. We believe this is a built-in utility that Axis uses internally and is available to root users such as those exploiting the remote format string vulnerability.

We are not disclosing the name of the script. Though the name is fairly obvious and we suspect many people with deep knowledge of Axis products are already well aware of it, we do not want to publicize that specific.

Impact Significant

The original exploit provides root access but not the web root password. Without that, one cannot log into the camera's web interface nor easily see nor change video / device settings. But once the root password is set by the attacker (with this Axis provided script), they then can easily spy on the video feed, change how the camera is configured, etc.

This can be exploited remotely for publicly accessible cameras (including via port forwarding and UPnP) but it can also be done locally by rival integrators or manufacturer competitors that have access to a site.

Access Control Impacted Too

Also worth noting that this same procedure works on Axis A1001 access control panels, which is likely even a greater risk given the operational importance of access control vs video.

Axis Step Up And Better Notify The Industry

While Axis did some initial publicity of the vulnerability, they have done little since the working exploit was announced. They must know that this password script exists and can be easily called, making the vulnerability far more impactful.

Axis please go out and use your unrivaled marketing muscle to make it clear to every user out there the severity of this exploit and the need to upgrade every camera every where.

2 reports cite this report:

Axis Hides Exploit Danger on Aug 09, 2016
Axis is hiding the severity and danger of the 'remote string format' vulnerability. We ask Axis to fully communicate the risks of the released...
Axis Camera Hack Tested on Jul 21, 2016
Full disclosure by the researcher of the Axis critical security vulnerability has been made. But what does this mean? Does it even work? What can...
Comments (10): PRO Members only. Login. or Join.

Related Reports on Access Control

Access Control Course Fall 2016 on Sep 22, 2016
IPVM offers the most comprehensive access control course in the industry. Unlike manufacturer training that focuses only on a small part of the...
Door Fundamentals For Electronic Access Control on Sep 20, 2016
Assuming every door can be secured with either a maglock or an electric strike can be a painful assumption in the field. While those items can be...
The Passback Problem on Sep 14, 2016
Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without...
S2 Founder Touts Mercury Board To Replace Software House on Sep 08, 2016
Access control is a stoic market typically devoid of glitzy, flashy product releases. But one new product is notable because of who is touting it...
Lenel Partners Angry, Lenel Does Not Care on Sep 01, 2016
Even more than Arecont, one manufacturer stands out for consistent complaints - Lenel. Over the past few years, no manufacturer has had more...
ZKAccess Company Profile and Higher Margin Guarantee Examined on Aug 30, 2016
A budget access manufacturer has entered the North American market, but it is not Hikvision or Dahua. This player, ZKAccess, has recently set up...
Genetec Access Control Security Center 5.5 Release on Aug 26, 2016
Inside, we examine Genetec's new Access Control features in Security Center 5.5. Enhanced Active Directory and 'Universal Groups' New, Single...
Tailgating - Access Control Tutorial on Aug 25, 2016
Despite costing thousands of dollars per door, electronic access control systems are vulnerable to an easy exploit called 'tailgating'. Unless this...
Service / Maintenance Contracts Guide And Downloadable Sample Agreement on Aug 18, 2016
This guide provides in-depth recommendations for service / maintenance and a sample service agreement that integrators can edit and customize for...
Hotel Access Control Explained on Aug 17, 2016
Hotel access control seems to work magically. Unlike electronic access control systems used in commercial security, doors in hotels are not...

Most Recent Industry Reports

Nest Cam Outdoor Tested on Sep 23, 2016
After years of claiming an outdoor model was "coming", addressing their biggest user demand, Nest has finally released their Outdoor Camera, an...
ACTi Refuses Race To The Bottom, Shifts To Solutions on Sep 23, 2016
The original low cost IP camera disruptor was ACTi. Back in the 2008 - 2010 time frame, Taiwanese manufacturer ACTi challenged the Western and...
You Get Robbed, Canary Will Pay You Up To $1,000 on Sep 22, 2016
Canary is trying to break the status quo in DIY security, first by raising over $40 million, and now a revamp of their monthly services package...
Milestone Ends Development of "Enterprise" VMS on Sep 22, 2016
Milestone 'Enterprise' was one of the first enterprise video management software offerings, selected by many early adopters of IP video. However,...
History of Video Surveillance on Sep 22, 2016
This is a concise history of video surveillance covering the past decade.  The goal is to help professionals newer to the industry understand...
Access Control Course Fall 2016 on Sep 22, 2016
IPVM offers the most comprehensive access control course in the industry. Unlike manufacturer training that focuses only on a small part of the...
Totally Wireless IP Camera (IPVideo Corp NomadHD) on Sep 21, 2016
Wireless battery powered cameras have been a surveillance pipe dream for years, limited by camera power consumption, battery technology, and...
Axis Launches IP Speakers on Sep 21, 2016
First, Axis introduced an IP horn, then it was video intercoms, and now it is Networked Speakers? While IP-based Public Address systems are not...
Tagged RFID Object Search Recorded Video on Sep 20, 2016
Video analytics has gotten fairly good at tagging people in video, but it does not solve the problem of finding items like specific merchandise or...
FLIR and Geovision Join the Hikvision Price Cut Race on Sep 20, 2016
Hikvision's price cuts are clearly a trend setter. After numerous and increasingly large cuts, the destructive cycle is accelerating. Last month,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact