A Baker’s Dozen Of Flaws In One Small Package
The Akuvox E11 sounds like an interesting door camera as it has the ability to opens doors, capture live video and audio, snap a picture of anyone walking by and creates a logs of entries and exits in real time. All that power in a small IoT device would be handy, assuming that it was also well secured to prevent unauthorized usage. Sadly, it is a security nightmare and the 13 flaws revealed in this article are bad enough you should probably go unplug it before reading on.
Several of the features do not require proper authentication and there are also hardcoded keys that are encrypted using accessible keys. The still pictures it captures are uploaded to an unencrypted FTP into a directory that anyone can view and download from. It was also discovered there were ways around authenticating when accessing via a web interface, from which you could control most of the features. As if that wasn’t bad enough, the phone app that talks to the Akuvox E11 can be leveraged in the same way.
Akuvox, the company which made this security nightmare has not responded to multiple attempts by Claroty and the CERT organizations to reach them, so if you have an Akuvox E11 or know someone that does, turn it off and don’t turn it back on again!