Axis Exploit Allows Changing Camera Root Password Confirmed

Author: John Honovich, Published on Aug 02, 2016

IPVM has confirmed that using the Axis remote format string vulnerability, an attacker can easily change the root password of the camera, taking control of the entire camera and blocking out the legitimate user. This was submitted to IPVM last week.

This is in addition to the already severe unauthorized remote root access that we tested and verified recently.

How To

All that needs to be done is call a script with the replacement password and the password is changed. We believe this is a built-in utility that Axis uses internally and is available to root users such as those exploiting the remote format string vulnerability.

We are not disclosing the name of the script. Though the name is fairly obvious and we suspect many people with deep knowledge of Axis products are already well aware of it, we do not want to publicize that specific.

Impact Significant

The original exploit provides root access but not the web root password. Without that, one cannot log into the camera's web interface nor easily see nor change video / device settings. But once the root password is set by the attacker (with this Axis provided script), they then can easily spy on the video feed, change how the camera is configured, etc. 

This can be exploited remotely for publicly accessible cameras (including via port forwarding and UPnP) but it can also be done locally by rival integrators or manufacturer competitors that have access to a site.

Access Control Impacted Too

Also worth noting that this same procedure works on Axis A1001 access control panels, which is likely even a greater risk given the operational importance of access control vs video.

 

Axis Step Up And Better Notify The Industry

While Axis did some initial publicity of the vulnerability, they have done little since the working exploit was announced. They must know that this password script exists and can be easily called, making the vulnerability far more impactful.

Axis please go out and use your unrivaled marketing muscle to make it clear to every user out there the severity of this exploit and the need to upgrade every camera every where.

5 reports cite this report:

Hacked DVRs Surge To 400,000 on Oct 19, 2016
The global internet is under attack from record breaking botnets. And it is getting worse, Mirai doubled in size in the last month. Shamefully,...
Hacked Dahua Cameras Drive Massive Mirai Cyber Attack on Sep 27, 2016
Cyber attacks are accelerating and IP cameras are behind many of them. Worse, last week, a 'massive' attack was carried out using numerous Dahua...
Axis Hosted Video Decade of Failure on Aug 29, 2016
Do you want to 'head up' Axis hosted video offerings? Axis almost never publicly promotes senior positions, but for such an unattractive job they...
Axis Hides Exploit Danger on Aug 09, 2016
Axis is hiding the severity and danger of the 'remote string format' vulnerability. We ask Axis to fully communicate the risks of the released...
Axis Camera Hack Tested on Jul 21, 2016
Full disclosure by the researcher of the Axis critical security vulnerability has been made. But what does this mean? Does it even work? What can...
Comments (10): PRO Members only. Login. or Join.

Related Reports on Access Control

HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Cloud Guy Prints Book, Misses Irony on Sep 15, 2017
On-premise security systems are dead. But $75 print books are alive and well. Such are the lessons from Brivo's CEO new book "The Five...
Master Keying Tutorial on Sep 14, 2017
Mechanical keys are the most fundamental, albeit unsophisticated, form of access control. Like access control, Master Keying allows large scale use...
Fail Safe vs. Fail Secure Tutorial on Sep 13, 2017
Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these concepts...
Axis: Use QR Codes Instead of Access Cards on Sep 12, 2017
Innovation in access may be hard to find, but Axis recently suggested an idea for credentials few have considered. Rather than using plastic cards,...
Dahua and Hikvision Entering Access Control on Sep 05, 2017
Until now, Chinese video giants Hikvision and Dahua have held back releasing access internationally. Both companies have now pulled the trigger,...
Vulnerability Directory For Access Control Cards on Aug 14, 2017
Knowing which access credentials are insecure can be unclear, especially because most look and feel the same. Even the most insecure 125 kHz types...
Competing Against G4S on Aug 09, 2017
G4S Secure Solutions is a global company, operating in multiple countries and offering a suite of products and services from guards to their AMAG...
ONVIF Releases Profile A for Access on Aug 08, 2017
ONVIF has struggled so far in access control. In 2014, ONVIF released Profile C for access control, but in the 3 years since, only 2 companies...
Access Control Commissioning / Install Checklist on Aug 03, 2017
This 80+ point checklist helps end users, integrators and consultants verify that access control installation is complete. It covers the following...

Most Recent Industry Reports

Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...
Avigilon Touting 'Made In America' on Sep 18, 2017
Canadian manufacturer Avigilon, who completed a US manufacturing facility in 2015, is now running a marketing campaign touting 'Made In America',...
Cloud Guy Prints Book, Misses Irony on Sep 15, 2017
On-premise security systems are dead. But $75 print books are alive and well. Such are the lessons from Brivo's CEO new book "The Five...
Forgotten Password Problem Importance on Sep 15, 2017
Forgotten passwords has become a major industry topic. For example, Hikvision has been emailing admin passwords in plain text until IPVM's...
September IP Networking Course on Sep 14, 2017
LAST Chance - Registration is ending. Register now. This is the only networking course designed specifically for video surveillance professionals...
Hikvision Launching Ezviz Pro on Sep 14, 2017
Hikvision is launching Ezviz Pro. In 2015, Hikvision expanded Ezviz, a direct to consumer offering, to North America. Now, Ezviz 'Pro' is...
Genetec Launches Community Connect Examined on Sep 14, 2017
Genetec has done best in large-scale, enterprise systems and relatively worse in smaller systems such as SMB. Now, Genetec is launching...
Master Keying Tutorial on Sep 14, 2017
Mechanical keys are the most fundamental, albeit unsophisticated, form of access control. Like access control, Master Keying allows large scale use...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact