Team82 Blog / 6 min read
UPDATE, March 13:
Akuvox has reached out to Team82 informing us that it has confirmed the 13 vulnerabilities we uncovered in the E11 smart intercom, and said it will update firmware for these devices before March 20.
In a statement to customers and partners emailed to Team82, Akuvox said:
“We noticed a recent research report about Akuvox E11 vulnerabilities from Claroty and relevant media coverages. Once we confirmed the existence of the vulnerabilities, we have given the top priority to patch the vulnerabilities. An updated firmware will be released before March 20, 2023 and be available on the Akuvox Knowledge Base.
“Additionally, Akuvox strictly complies with the laws and regulations in all countries and regions where we operate and is committed to continuously enhancing product security to meet the most stringent requirements and to best protect the users of our products.”
What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project, which uncovered 13 vulnerabilities that could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. The 13 vulnerabilities can be exploited via three main attack vectors:
Remote code execution within the local area network
Remotely activate a device’s camera and microphone and transmit data back to the attacker
Access to external and insecure FTP server and download stored images and data
The device, the Akuvox E11, remains unpatched after many unsuccessful attempts to contact and coordinate the disclosure with the Chinese vendor, a global leader in SIP-based smart intercoms. Our efforts to reach Akuvox began in January 2022, and along the way several support tickets were opened by Team82 and immediately closed by the vendor before our account was ultimately blocked on Jan. 27, 2022.
We involved the CERT Coordination Center (CERT/CC), which also made multiple attempts to contact the vendor to no avail. After months of failed attempts, we disclosed our findings to CISA in December; CISA also had no success in working with Akuvox, and today published an advisory describing 13 vulnerabilities found by Team82. The implications of those flaws range from missing authentication, hard-coded encryption keys, missing or improper authorization, and the exposure of sensitive information to unauthorized users.
Today, Team82 also published a technical blog describing some of the details of these zero-day vulnerabilities. We believe it’s in the best interest of the user community to share this information in the hope that users can take proactive measures to defend their organizations, whether it’s by taking remediation steps recommended below, discarding the device altogether, or pressuring the vendor to indeed address these vulnerabilities.
Like most successful startups, Claroty quickly outgrew its office space. One surprise that greeted us when we moved into our shiny new location last year was the Akuvox E11. While most wouldn’t find this too exciting, the sight of a smart intercom and camera attached to an ethernet cable starts a security and vulnerability researcher’s heart pumping faster.
Our first notion in poking around this new connected device was to figure out if this could make our team’s life simpler. For example, having an office nearby the closest entrance to the office meant that we’d spend a lot of time up and down from our desk letting people in if the receptionist wasn’t around. It’s not fun.
We decided to hunt for an API that we could use to open the door; given this is a smart intercom and door system, there must be one. Fortunately, we didn’t have to dig too deeply; it was right in the documentation.
Before long, we decided the device was interesting enough to continue researching it. We acquired a device, explored the firmware, emulated the local web server on a Raspberry Pi, and began our hunt for vulnerabilities on the local environment. Once the device itself arrived, we were able to quickly take what we’d learned in the emulated local environment and apply it to the physical device.
The flaws we found are severe, and pose potentially damaging privacy violations for affected organizations and users. There are three attack vectors we’d like to share:
Remote Code Execution: Two of the vulnerabilities found by Team82—missing authentication for a critical function (CVE-2023-0354), and a command injection vulnerability (CVE-2023-0351)—can be chained to remotely execute code on the local network. If a vulnerable device is exposed to the internet, an attacker can use these flaws to take over the device, run arbitrary code, and possibly move laterally on the enterprise or small business network. According to the Akuvox website, these devices are the first line of defense at retirement homes, warehouses, apartment buildings, parking garages, medical centers, and even single-family homes.
Open the Camera Remotely: Another vulnerability (CVE-2023-0348) can be leveraged to remotely activate the camera and microphone, without authentication, and transmit the data to the attacker. In privacy-sensitive organizations, such as healthcare centers, this can put organizations in violation of numerous regulations designed to ensure patient privacy.
Collect Motion-Activated Images from All Intercoms: In this scenario, since the door phone camera is motion-activated, images are taken and uploaded to an external and insecure FTP file storage server. The images are available for periods of time on the server before they’re periodically deleted. In this time window, an attacker would be able to download images from Akuvox intercoms running anywhere.
Despite Akuvox’s failure to acknowledge the numerous disclosure attempts made by Team82 and others, we still recommend a number of mitigation measures.
First would be to ensure an organization’s Akuvox device is not exposed to the internet in order to shut off the current remote attack vector available to threat actors. Administrators would, however, likely lose their ability to remotely interact with the device over the SmartPlus mobile app.
Within the local area network, organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network. This prevents any lateral movement an attacker with access to the device might gain. Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints. Furthermore, only ports needed to configure the device should be opened; we also recommend disabling UDP port 8500 for incoming traffic, as the device’s discovery protocol is not needed.
Finally, we recommend changing the default password protecting the web interface. Right now the password is weak and included in the documentation to the device, which is publicly available.
CWE-284: Improper Access Control
Akuvox E11 allows direct SIP calls. No access control is enforced by the SIP servers, which could allow an attacker to contact any device within Akuvox to call any other device.
CVSS v3: 7.5
CWE-94: Command Injection
The Akuvox E11 web server backend library allows command injection in the device phone-book contacts functionality. This could allow an attacker to upload files with executable command instructions.
CVSS v3: 8.8
CWE-306: Missing Authentication for Critical Function
The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs.
CVSS v3: 9.1