The E11, a popular smart intercom and videophone from Chinese company Akuvox, contains more than a dozen flaws, including a critical bug that allows unauthenticated remote code execution (RCE).
Malicious actors could use these to gain access to an organization's network, steal photos or video captured by the device, control the camera and microphone, and even lock and unlock doors.
The flaws were discovered and highlighted by Claroty's Team82, a security firm that became aware of the device's flaws when they moved into an office where the E11 was already installed.
Team82 members' interest in the device grew into a full-fledged investigation as they discovered 13 vulnerabilities, which they classified into three categories based on the attack vector used.
The first two types can occur via RCE within a local area network or through remote activation of the E11's camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector focuses on gaining access to an external, insecure file transfer protocol (FTP) server, which allows the actor to download stored images and data.
The Akuvox 311 contains a critical RCE bug
One critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.
"The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.
Another notable vulnerability (CVE-2023-0348, with a CVSS score of 7.5) affects the SmartPlus mobile app, which iOS and Android users can use to interact with the E11. The main problem is that the app uses the open-source Session Initiation Protocol (SIP) to allow communication between two or more participants over IP networks. The SIP server does not validate SmartPlus users' authorization to connect to a specific E11, which means that anyone with the app installed can connect to any E11 connected to the Internet, including those behind a firewall.
"We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."
Unpatched Akuvox Security Vulnerabilities
Beginning in January 2022, Team82 detailed their efforts to bring the vulnerabilities to the attention of Akuvox, but after several outreach attempts, Claroty's account with the vendor was blocked. Following that, Team82 published a technical blog detailing the zero-day vulnerabilities and enlisted the help of the CERT Coordination Center (CERT/CC) and CISA.
Organizations that use the E11 should disconnect it from the Internet until the vulnerabilities are fixed, or ensure that the camera is not capable of recording sensitive information. According to the Claroty report, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network" within the local area network.
"Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."
A world of increasingly connected devices has provided sophisticated adversaries with a vast attack surface.As per Juniper Research, the number of industrial internet of things (IoT) connections alone — a measure of total IoT device deployment — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020.
And, despite the fact that the National Institute of Standards and Technology (NIST) has agreed on a standard for encrypting IoT communications, many devices remain vulnerable and unpatched. Akuvox is the latest in a long line of these that have been found to be severely lacking in device security. Last year, for example, a critical RCE vulnerability in Hikvision IP video cameras was disclosed.