A total of 13 vulnerabilities have been found in the E11 smart intercom devices made by Chinese manufacturer Akuvox, allowing remote code execution (RCE), network access and more.
Writing in an advisory published last week, Vera Mens, a security researcher at Claroty’s Team82, said the flaws could be exploited via three different attack vectors: RCE within the local area network, remote activation of the device’s camera and microphone, and via access to an external, insecure FTP server.
The first of these vectors relies on two flaws related to missing authentication for a critical function (CVE-2023-0354) and a command injection vulnerability (CVE-2023-0351), respectively. Mens explained these bugs could be chained to perform RCE on the local network.
“If a vulnerable device is exposed to the internet, an attacker can use these flaws to take over the device, run arbitrary code and possibly move laterally on the enterprise or small business network,” she explained.
On the other hand, the vulnerability related to microphone and webcam takeover (CVE-2023-0348) could be leveraged remotely and without authentication. It then allowed for data transfer back to the attacker.
“In privacy-sensitive organizations, such as healthcare centers, this can put organizations in violation of numerous regulations designed to ensure patient privacy,” Mens added.
The third attack vector exploited an external and insecure FTP file storage server containing images regularly taken by the intercom via a motion sensor.
“The images are available for periods of time on the server before they’re periodically deleted,” Mens explained. “In this time window, an attacker would be able to download images from Akuvox intercoms running anywhere.”
The Claroty security researcher said all the flaws remain unpatched, even after Team82 contacted Akuvox and shared the disclosure several times.
“Our efforts to reach Akuvox began in January 2022, and along the way, several support tickets were opened by Team82 and immediately closed by the vendor before our account was ultimately blocked on January 27 2022,” reads the company’s advisory.
The technical write-up also contains mitigations to limit the security risks of these vulnerabilities.
The disclosure comes months after a security researcher found an iOS Bluetooth bug that allowed apps to eavesdrop on user conversations.