Internet of Things

Nexus Podcast: Vera Mens on Akuvox Vulnerabilities

Michael Mimoso
/
Mar 22, 2023

So-called internet-of-things (IoT) devices are embedded deep within companies worldwide, sharing analytical and performance data with enterprise IT systems to improve everything from performance to efficiency. It’s also understood alongside the value these devices bring is that they likely introduce additional risk that must be managed. 

Devices are often not designed with security in mind, and can be challenging to update given that most fixes are likely going to be focused on firmware rather than software. 

That was part of Claroty Team82’s motivation in researching Akuvox’s E11 smart intercoms. These popular devices control physical access to offices, residential, and commercial establishments worldwide, and exploitable security vulnerabilities could expose users to a number of privacy and security violations. 

Read Team82’s blog on this research: “The Silent Spy Among Us: Modern Attacks on Smart Intercoms”

In this episode of the Nexus podcast, Team82 researcher Vera Mens joins to discuss her work on these devices, which uncovered 13 vulnerabilities, some of which were critical in severity—and also typical of situations where IoT devices are sent to market without much consideration for cybersecurity. 

“I think the industry is improving but there is a long way to go with IoT devices, especially with devices that are not committed to security in their portfolio,” Mens said, adding that coding lifecycles need to include code reviews and penetration testing to ensure commodity vulnerabilities are discovered and dealt with before going to market. 

The 13 vulnerabilities can be exploited via three main attack vectors:

  • Remote code execution within the local area network

  • Remote activation of the device’s camera and microphone and transmission of data back to the attacker

  • Access to an external, insecure FTP server and the download of stored images and data

“FTP is a very old protocol, somewhere from the ’70s. It’s not that common that someone would use this protocol nowadays,” she said. “The focus on security was lacking somewhere in their development cycle. I hope this report will push those vendors to look at security issues and understand how important they are.”

The report did prompt Akuvox to confirm Team82’s private disclosure after 15 months. The vendor has promised a firmware update to address these vulnerabilities; it has already removed the FTP server in question. Nonetheless, the disclosure process was a challenge. Team82 began this process in January 2022 and opened several support tickets with the vendor that were closed before the Team82 account was blocked by Akuvox. After publication of a research blog on March 9 and subsequent media coverage, Akuvox acknowledged the vulnerabilities and promised a quick fix. 

Subscribe and listen to the Nexus podcast on your favorite platform.

Internet of Things
Michael Mimoso
Editorial Director

Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.

Stay in the know

Get the Nexus Connect Newsletter

Latest on Nexus Podcast