A smart intercom product made by Chinese company Akuvox is affected by more than a dozen vulnerabilities, including potentially serious flaws that can be exploited for spying.
The vulnerabilities were discovered by researchers at industrial and IoT cybersecurity firm Claroty. The company — along with CISA and CERT/CC — has attempted to report the findings to the vendor over the past year, but without success, and the security holes remain unpatched.
Claroty this week disclosed technical details of its findings and CISA has also published an advisory.
The security firm started analyzing Akuvox’s E11 product after finding it in a new office space it moved into last year. The E11 is advertised as a video doorphone designed for homes, villas, offices, and warehouses. It includes live video streaming, motion detection, and access control capabilities. According to CISA, the affected product has been used worldwide.
Claroty’s analysis revealed the existence of 13 vulnerabilities related to weak encryption, the use of hardcoded cryptographic keys, sensitive information exposure, insecure password recovery mechanisms, command injection flaws, improper access control and authentication, missing authorization, and hidden functionality that can be abused for malicious purposes.
A majority of these vulnerabilities have been assigned ‘critical’ and ‘high’ severity ratings. An attacker could exploit the flaws for remote code execution, remotely activating a device’s microphone and camera and transmitting data to a remote server, and obtaining stored images and data captured by the device.
An attacker could exploit the vulnerabilities to take complete control of the targeted Akuvox device, allowing them to spy on users, open doors, and gain a foothold into the targeted organization’s network, according to Claroty.
“In privacy-sensitive organizations, such as healthcare centers, this can put organizations in violation of numerous regulations designed to ensure patient privacy,” the company warned.
Many of the vulnerabilities can be exploited without authentication and attacks can even be launched directly from the internet if the targeted device is accessible from the web.
SecurityWeek has reached out to the vendor for comment and will update this article if the company responds.
While there do not appear to be any patches, Claroty said the risk can be mitigated by ensuring the device is not exposed to the internet, isolating it from the rest of the enterprise network to prevent lateral movement, and changing the default password for the web interface.
UPDATE, March 13: Akuvox has responded to SecurityWeek’s inquiry, saying that it has “given top priority to patching the vulnerabilities after confirming their existence”. The company plans on releasing a firmware update that should patch the vulnerabilities before March 20, 2023.
In the meantime, the company has advised partners to offer mitigation measures to customers.
“Akuvox is committed to continuously enhancing product security to meet the most stringent requirements. We are also happy to work with security researchers from organizations like Claroty to identify, patch, and release updates to best protect the users of our products,” Akuvox said.
Related: Aiphone Intercom System Vulnerability Allows Hackers to Open Doors
Related: Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors
Related: Vulnerability Allows Hackers to Unlock Smart Home Door Locks