New Video from @DEFCONConference Highlights Security Flaws in Axis IP Surveillance Devices

In this video, Noah Mushe, team lead and principal vulnerability researcher at Clarity 2, shares his findings on security flaws in Axis IP surveillance devices. His goal was to demonstrate how it is possible to hack into the internal networks of large companies by exploiting vulnerabilities in services exposed to the Internet, particularly the proprietary Axis Remoting protocol. Noah begins by explaining the context of Axis IP cameras, widely used in businesses, educational institutions, medical facilities, and government agencies. These cameras operate on a proprietary Linux-based operating system called Axis OS and offer various control and management features. To efficiently manage a large number of cameras, Axis provides centralized solutions such as Axis Device Manager and Axis Camera Station. These tools allow for the configuration, updating, and monitoring of cameras from a central point. The Axis Remoting protocol, used for remote management of cameras, is supposed to be secure through authentication and encryption. However, Noah discovered several critical vulnerabilities. Using a man-in-the-middle technique, he intercepted and analyzed traffic between the Axis client and server, revealing crucial details about the protocol. He identified a deserialization vulnerability in the JSON protocol used for Remote Procedure Calls (RPC), allowing for remote code execution. To exploit this vulnerability, Noah had to bypass NLM SSP authentication using a "pass-the-hash" attack. Once authenticated, he was able to inject malicious payloads, leading to code execution on the Axis server. Additionally, using legitimate features of the Axis AAP SDK, he created a backdoor package to execute code on the cameras themselves. However, Noah wanted a pre-authenticated exploitation without user interaction. He discovered a fallback protocol based on HTTP with complex asymmetric and symmetric encryption. By analyzing this protocol, he found a secret endpoint allowing anonymous authentication, which enabled him to exploit the deserialization vulnerability without prior authentication. The implications of these findings are vast. Noah found nearly 6,500 Axis servers exposed on the Internet, primarily in the United States, each managing up to 10,000 cameras. By exploiting these vulnerabilities, an attacker could take control of the servers and cameras, compromising the security of many organizations. Noah emphasizes that the ban on Chinese IP camera brands in Western countries has led to increased adoption of Axis solutions, thereby increasing the risk of exposure. He concludes by acknowledging the collaboration with Axis to fix these vulnerabilities, highlighting the importance of product security. For more information, watch the full video at the following address: https://www.youtube.com/watch?v=wclvPznv5v4