More than a dozen security flaws have been disclosed in E11, a smart intercom product made by Chinese company Akuvox.
“The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold,” Claroty security researcher Vera Mens said in a technical write-up.
Akuvox E11 is described by the company on its website as a “SIP [Session Initiation Protocol] video doorphone specially designed for villas, houses, and apartments.”
The product listing, however, has been taken down from the website, displaying an error message: “Page does not exist.” A snapshot captured by Google shows that the page was live as recently as March 12, 2023, 05:59:51 GMT.
The attacks can manifest either through remote code execution within the local area network (LAN) or remote activation of the E11’s camera and microphone, allowing the adversary to collect and exfiltrate multimedia recordings.
A third attack vector takes advantage of an external, insecure file transfer protocol (FTP) server to download stored images and data.
The most severe of the issues are as follows –
- CVE-2023-0344 (CVSS score: 9.1) – Akuvox E11 appears to be using a custom version of dropbear SSH server. This server allows an insecure option that by default is not in the official dropbear SSH server.
- CVE-2023-0345 (CVSS score: 9.8) – The Akuvox E11 secure shell (SSH) server is enabled by default and can be accessed by the root user. This password cannot be changed by the user.
- CVE-2023-0352 (CVSS score: 9.1) – The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default.
- CVE-2023-0354 (CVSS score: 9.1) – The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs.
A majority of the 13 security issues remain unpatched to date, with the industrial and IoT security company noting that Akuvox has since addressed the FTP server permissions issue by disabling the “the ability to list its content so malicious actors could not enumerate files anymore.”
The findings have also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an Industrial Control Systems (ICS) advisory of its own last week.
“Successful exploitation of these vulnerabilities could cause loss of sensitive information, unauthorized access, and grant full administrative control to an attacker,” the agency cautioned.
In the absence of patches, organizations using the doorphone are advised to disconnect it from the internet until the vulnerabilities are fixed to mitigate potential remote attacks.
It’s also advised to change the default password used to secure the web interface and “segment and isolate the Akuvox device from the rest of the enterprise network” to prevent lateral movement attacks.
The development comes as Wago released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities (CVE-2022-45137, CVE-2022-45138, CVE-2022-45139, and CVE-2022-45140) two of which could be exploited to achieve full system compromise.