One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.
Chaining three of the reported vulnerabilities together, allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera. An attacker with such control could do the following:
- Access to camera’s video stream
- Freeze the camera’s video stream
- Control the camera – move the lens to a desired point, turn motion detection on/off
- Add the camera to a botnet
- Alter the camera’s software
- Use the camera as an infiltration point for network (performing lateral movement)
- Render the camera useless
- Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)
The vulnerable products include 390 models of Axis IP Cameras. The full list of affected products can be found here. Axis uses the ACV-128401 identifier for relating to the issues we discovered.
To the best of our knowledge, these vulnerabilities were not exploited in the field, and therefore, did not lead to any concrete privacy violation or security threat to Axis’s customers.
We strongly recommend Axis customers who did not update their camera’s firmware to do so immediately or mitigate the risks in alternative ways. See instructions in FAQ section below.
We also recommend that other camera vendors follow our recommendations at the end of this report to avoid and mitigate similar threats.