A total of 13 vulnerabilities have been discovered in E11 smart intercom devices manufactured by Chinese manufacturer Akuvox, allowing remote code execution (RCE), network access and more.
Vera Mens, a security researcher at Claroty’s Team82, said in an advisory published last week that these vulnerabilities could be exploited via three different attack vectors. Her RCE within the local area network, remote activation of the device’s camera and microphone, and access to the device. External insecure FTP server.
The first of these vectors relies on two flaws related to missing authentication to a critical function (CVE-2023-0354) and command injection vulnerability (CVE-2023-0351) respectively. Mens explained that chaining these bugs together allows him to run RCEs on his local network.
“If vulnerable devices are exposed to the Internet, attackers can use these flaws to hijack devices, execute arbitrary code, and move laterally across a corporate or small business network. There is,” she explained.
More information on authentication can be found here: Authentication Security: Creating a Bulletproof Password Reset Process
On the other hand, the microphone and webcam hijacking vulnerability (CVE-2023-0348) could be exploited remotely without authentication. Data transfer to the attacker was then possible.
“Privacy-focused organizations such as health care centers may violate many regulations designed to ensure patient privacy,” Mens added.
A third attack vector exploited an external, insecure FTP file storage server containing images periodically captured by an intercom via its motion sensor.
“Images are available on the server for a period of time before being periodically deleted,” Mens explains. “Within this timeframe, an attacker can download images from his Akuvox intercom running anywhere.”
Security researchers at Claroty said all the flaws remained unpatched, even after Team82 contacted Akuvox and shared the disclosure several times.
“Efforts to reach Akuvox began in January 2022. In the process, several support tickets were opened by Team82, before the account was finally blocked on January 27, 2022. , was immediately closed by the vendor,” the company’s advisory reads.
Technical articles also include mitigations that limit the security risk of these vulnerabilities.
The disclosure comes months after security researchers discovered an iOS Bluetooth bug that allowed apps to eavesdrop on user conversations.
