Researchers have detailed a string of vulnerabilities that, when exploited in combination, would allow for hundreds of models of internet-linked surveillance cameras to be remotely hijacked.
Security biz VDOO said today it privately alerted cam-maker Axis Communications to the seven bugs it found in its gizmos, leading to the manufacturer issuing firmware updates for roughly 400 models of connected surveillance cameras that would be vulnerable to attack.
Owners of at-risk gear are urged advised to update their camera firmware as soon as possible.
According to VDOO, the flaws individually are bad, but when exploited in sequence, a miscreant can execute shell commands on any camera they have network access to, allowing them to hijack devices and spy on people.
To perform the attack, a hacker would first run an exploit for CVE-2018-10661, an authorization bypass that allows the attacker to access /bin/ssid, which runs as root, via unauthenticated HTTP requests. From there, the attacker would target CVE-2018-10662 to send messages, via dbus, to a service called PolicyKitParhand. Then, in a third step, the miscreant would leverage CVE-2018-10660, a flaw that lets the attacker inject shell commands as root into the system as parhand parameters. Those commands would allow the snoop to do things such as move or control the camera, turn it off, or instruct it to download and run malicious code – things like botnet malware or software nasties to attack other devices.
VDOO noted those three flaws are just part of the larger collection of seven CVE-listed issues the biz discovered in Axis cameras, and reported them to the manufacturer. The other bugs would allow information to leak, or trigger process crashes.
The research firm said Axis is far from alone in shipping stuff with shoddy security, and the seven bugs are just part of a larger effort its researchers are undertaking to spot holes in IP-connected surveillance equipment.
In addition to patching firmware flaws, the researchers said vendors should take better care to sanitize data inputs – to screen out bad commands – as well as minimizing the processes that have root access, and try to avoid relying on shell scripts that take user-supplied parameters to carry out commands.
VDOO also wants to see more manufacturers work to encrypt the firmware they use for IP-enabled cameras, a move they admit comes with some drawbacks of its own.
"On the other hand, it is worth noting that the security by obscurity approach for firmware content may contribute to a situation in which issues exists but are not being discovered and remediated since the firmware is encrypted properly," VDOO noted. "Vendors should consider this tradeoff carefully."
"External researchers have discovered a number of vulnerabilities in Axis products," the manufacturer said in a statement. "An adversary with network access to an affected Axis product can, by combining these vulnerabilities, compromise the product. There are no indications that the exploit is known to anyone except the researchers and Axis." ®