Unpatched Zero-Day Bugs in Smart Intercom Allow Remote Eavesdropping

  /     /     /  
Publicated : 23/11/2024   Category : security


Unpatched Zero-Day Bugs in Smart Intercom Allow Remote Eavesdropping


A video-enabled smart intercom made by Chinese company Akuvox has major security vulnerabilities that allow audio and video spying, and the company has so far been unresponsive to the discoveries.



A popular smart intercom and videophone from Chinese company Akuvox, the E11, is riddled with more than a dozen vulnerabilities, including a critical bug that allows unauthenticated remote code execution (RCE).
These could allow malicious actors to access an organizations network, steal photos or video captured by the device, control the camera and microphone, or even lock or unlock doors.
The vulnerabilities were discovered and highlighted by security firm Clarotys Team82, which became aware of the devices weaknesses when they moved into an office where the E11 had already been installed.
Members of Team82s curiosity about the device turned into a full-blown investigation as they uncovered 13 vulnerabilities, which they divided into three categories based on the attack vector used.
The first two types can occur either through RCE within the local area network or remote activation of the E11s camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector targets access to an external, insecure file transfer protocol (FTP) server, allowing the actor to download stored images and data.
As far as bugs that stand out the most, one critical threat —
CVE-2023-0354
, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.
The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs, according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a
vulnerability overview
.
Another vulnerability of note (
CVE-2023-0348
, with a CVSS score of 7.5) concerns the SmartPlus mobile app that iOS and Android users can download to interact with the E11.
The core issue lies in the apps implementation of the open source Session Initiation Protocol (SIP) to enable communication between two or more participants over IP networks. The SIP server does not verify the authorization of SmartPlus users to connect to a particular E11, meaning any individual with the app installed can connect to any E11 connected to the Web — including those located behind a firewall.
We tested this using the intercom at our lab and another one at the office entrance, according to the Claroty report. Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the labs account to the intercom at the door.
Team82 outlined their attempts to bring the vulnerabilities to the Akuvoxs attention, beginning in January 2022, but after several outreach attempts, Clarotys account with the vendor was blocked. Team82 subsequently published a technical blog detailing the zero-day vulnerabilities and involved the CERT Coordination Center (CERT/CC) and CISA.
Organizations using the E11 are advised to disconnect it from the Internet until the vulnerabilities are fixed, or to otherwise ensure the camera is not capable of recording sensitive information.
Within the local area network, organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network, according to the Claroty report. Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints.
A world of increasingly connected devices has created a
vast attack surface
for sophisticated adversaries.
The number of industrial internet of things (IoT) connections alone — a measure of the number of total IoT devices deployed — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020,
according to Juniper Research
.
And while the National Institute of Standards and Technology (NIST) has settled on a standard for
encrypting IoT communications
, many devices remain vulnerable and unpatched.
Akuvox is the latest in a long line of these found to be severely lacking when it comes to device security. For instance, a critical RCE vulnerability in Hikvision IP video cameras was
disclosed last year
.
And last November, a vulnerability in a series of popular digital door-entry systems offered by Aiphone allowed hackers to
breach the entry systems
— simply by utilizing a mobile device and a near-field communication (NFC) tag.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Unpatched Zero-Day Bugs in Smart Intercom Allow Remote Eavesdropping