Axis Exploit Allows Changing Camera Root Password Confirmed

By: John Honovich, Published on Aug 02, 2016

IPVM has confirmed that using the Axis remote format string vulnerability, an attacker can easily change the root password of the camera, taking control of the entire camera and blocking out the legitimate user. This was submitted to IPVM last week.

This is in addition to the already severe unauthorized remote root access that we tested and verified recently.

How To

All that needs to be done is call a script with the replacement password and the password is changed. We believe this is a built-in utility that Axis uses internally and is available to root users such as those exploiting the remote format string vulnerability.

We are not disclosing the name of the script. Though the name is fairly obvious and we suspect many people with deep knowledge of Axis products are already well aware of it, we do not want to publicize that specific.

Impact Significant

The original exploit provides root access but not the web root password. Without that, one cannot log into the camera's web interface nor easily see nor change video / device settings. But once the root password is set by the attacker (with this Axis provided script), they then can easily spy on the video feed, change how the camera is configured, etc.

This can be exploited remotely for publicly accessible cameras (including via port forwarding and UPnP) but it can also be done locally by rival integrators or manufacturer competitors that have access to a site.

Access Control Impacted Too

Also worth noting that this same procedure works on Axis A1001 access control panels, which is likely even a greater risk given the operational importance of access control vs video.

Axis Step Up And Better Notify The Industry

While Axis did some initial publicity of the vulnerability, they have done little since the working exploit was announced. They must know that this password script exists and can be easily called, making the vulnerability far more impactful.

Axis please go out and use your unrivaled marketing muscle to make it clear to every user out there the severity of this exploit and the need to upgrade every camera every where.

5 reports cite this report:

Hacked DVRs Surge To 400,000 on Oct 19, 2016
The global internet is under attack from record breaking botnets. And it is...
Hacked Dahua Cameras Drive Massive Mirai Cyber Attack on Sep 27, 2016
Cyber attacks are accelerating and IP cameras are behind many of...
Axis Hosted Video Decade of Failure on Aug 29, 2016
Do you want to 'head up' Axis hosted video offerings? Axis almost...
Axis Hides Exploit Danger on Aug 09, 2016
Axis is hiding the severity and danger of the 'remote string format'...
Axis FMS Vulnerability 2016 Tested on Jul 21, 2016
Full disclosure by the researcher of the Axis critical security vulnerability...
Comments (9) : Members only. Login. or Join.

Related Reports

Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Vape Detection Legal Battle: Soter Sues IPVideo Corp on Jul 22, 2020
The crosstown vape detection rivals are now in a legal battle. While IPVideo...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020
Hackers are targeting China video surveillance manufacturers and systems,...
Access Visitor Management Systems Guide on Jul 22, 2020
"Who are you, and why are you here?" Facilities that implement Visitor...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...