Claroty, the cyber-physical systems protection company, has uncovered 13 vulnerabilities in the Akuvox E11 smart intercom system. These vulnerabilities allow cyberattackers to remotely execute code to control the camera and microphone, steal video and images, or gain a network foothold.
The device, developed by a Chinese vendor, has yet to be patched, despite multiple attempts by Claroty and the CERT Coordination Centre (CERT/CC) to contact Akuvox.
“The device, the Akuvox E11, remains unpatched after many unsuccessful attempts to contact and coordinate the disclosure with the Chinese vendor, a global leader in SIP-based smart intercoms. Our efforts to reach Akuvox began in January 2022, and along the way several support tickets were opened by Team82 and immediately closed by the vendor before our account was ultimately blocked on Jan. 27, 2022,” says Claroty’s Team82, which uncovered the vulnerabilities.
“We involved the CERT/CC, which also made multiple attempts to contact the vendor to no avail. After months of failed attempts, we disclosed our findings to ICS-CERT in December; ICS-CERT also had no success in working with Akuvox, and thus we have published an advisory describing 13 vulnerabilities found by Team82.”
The implications of those flaws range from missing authentication, hard-coded encryption keys, missing or improper authorisation, and the exposure of sensitive information to unauthorised users.
Two of the vulnerabilities found by Team82 - missing authentication for a critical function (CVE-2023-0354) and a command injection vulnerability (CVE-2023-0351) - can be chained to execute code remotely on the local network. For example, suppose a vulnerable device is exposed to the internet. In that case, an attacker can use these flaws to take over the device, run arbitrary code, and move laterally on the enterprise or small business network. According to the Akuvox website, these devices are the first line of defence at retirement homes, warehouses, apartment buildings, parking garages, medical centres, and even single-family homes.
Another vulnerability (CVE-2023-0348) can be leveraged to remotely activate the camera and microphone without authentication and transmit the data to the attacker. In privacy-sensitive organisations, such as healthcare centres, this can put organisations in violation of numerous regulations designed to ensure patient privacy.
In addition, since the door phone camera is motion-activated, images are taken and uploaded to an external and insecure FTP file storage server. The images are available for periods of time on the server before they're periodically deleted. In this time window, an attacker could download images from Akuvox intercoms running anywhere.
Despite Akuvox’s failure to acknowledge the numerous disclosure attempts made by Team82 and others, Claroty recommends several mitigation measures.
“The first thing is to ensure an organisation’s Akuvox device is not exposed to the internet in order to shut off the current remote attack vector available to threat actors. Administrators would, however, likely lose their ability to remotely interact with the device over the SmartPlus mobile app,” says Team82.
Within the local area network, organisations are advised to segment and isolate the Akuvox device from the rest of the enterprise network. This prevents any lateral movement an attacker with access to the device might gain. In addition, not only should the device reside on its network segment, but communication to this segment should be limited to a minimal list of endpoints.
“Furthermore, only ports needed to configure the device should be opened; we also recommend disabling UDP port 8500 for incoming traffic, as the device’s discovery protocol is not needed.”
“Finally, we recommend changing the default password protecting the web interface. Right now the password is weak and included in the documentation to the device, which is publicly available,” concludes Team82.