Go ahead and unplug this door device before reading. You’ll thank us later. – Ars Technica

The Akuvox E11 is billed as a video door phone, but it’s actually much more than that. The network-connected device opens building doors, provides live video and microphone feeds, takes a picture and uploads it each time someone walks by, and logs each entry and exit in real time. The Censys device search engine shows that roughly 5,000 such devices are exposed to the Internet, but there are likely many more that Censys can’t see for various reasons.

It turns out that this omnipotent, all-knowing device is riddled with holes that provide multiple avenues for putting sensitive data and powerful capabilities into the hands of threat actors who take the time to analyze its inner workings. That’s precisely what researchers from security firm Claroty did. The findings are serious enough that anyone who uses one of these devices in a home or building should pause reading this article, disconnect their E11 from the Internet, and assess where to go from there.

The 13 vulnerabilities found by Claroty include a missing authentication for critical functions, missing or improper authorization, hard-coded keys that are encrypted using accessible rather than cryptographically hashed keys, and the exposure of sensitive information to unauthorized users. As bad as the vulnerabilities are, their threat is made worse by the failure of Akuvox—a China-based leading supplier of smart intercom and door entry systems—to respond to multiple messages from Claroty, the CERT coordination Center, and Cybersecurity and Infrastructure Security Agency over a span of six weeks. Claroty and CISA publicly published their findings on Thursday here and here.

All but one of the vulnerabilities remain unfixed. Akuvox representatives didn’t respond to two emails seeking comment for this article.

WTF is this device doing in my office?

Claroty researchers first stumbled on the E11 when they moved into an office with one preinstalled at the door. Given its access to the comings and goings of employees and visitors and its ability to spy and open doors in real time, they decided to look under the hood. The first red flag the researchers found: Images taken each time motion was detected at the door were sent by unencrypted FTP to an Akuvox server in a directory that anyone could view and, from there, download images sent by other customers.

“We were very surprised when we started and we saw the FTP,” Amir Preminger, VP of research in Claroty’s Team82 research group, said in an interview. “We never imagined to find an FTP out in the clear. We blocked the device first, cut it off from everything, put it on its own island, and use it as a standalone. We’re in the process of replacing it.”

While the analysis continued, the behavior of the FTP server changed. The directory can no longer be viewed, so presumably it can no longer be downloaded, either. A significant threat continues to exist, however, since FTP uploads aren’t encrypted. That means anyone able to monitor the connection between an E11 and Akuvox can intercept uploads.

Another major find by the researchers was a flaw in the interface that allows the owner to use a web browser to log in to the device, control it, and access live feeds. While the interface requires credentials for access, Claroty found hidden routes that gave access to some of the web functions without a password. The vulnerability, tracked as CVE-2023-0354, works against devices that are exposed to the Internet using a static IP address. Users do this to connect to the device remotely using a browser.

That’s not the only vulnerability that allows unauthorized remote access to an E11. The device also works with a phone app called SmartPlus that’s available for Android and iOS. It allows remote access even when an E11 isn’t directly exposed to the Internet but is instead behind a firewall using network address translation.

SmartPlus communicates with the intercom using the session initiation protocol, an open standard used for real-time communications such as voice and video calls, instant messaging, and games.

E11 owners can use the app to make calls that give access to the intercom.

To make the app easier to use, the E11 automatically registers itself with a central SIP server that coordinates a connection between the app and the intercom. Claroty’s analysis found that the SIP server doesn’t check if the SmartPlus user is authorized to connect to a specific E11. As a result, anyone with the app installed can connect to any E11 that’s connected to the Internet, even when it’s behind the NAT firewall. From there, the unauthorized user can view and listen to video and audio in real time.

“We tested this using the intercom at our lab and another one at the office entrance,” Claroty researcher Vera Mens wrote in Thursday’s report. “Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab’s account to the intercom at the door.”

And that’s not all

Another critical vulnerability Claroty found allows attackers to inject commands into the device. The capability stems from a failure to sanitize the names of files used for profile images to ensure they don’t contain strings used in commands. Attackers can gain initial access to the device using the missing authentication vulnerability in the web interface vulnerability and then exploit the command injection vulnerability to download a configuration file that contains passwords for unlocking additional capabilities. Rather than hash the passwords as is standard practice, the E11 encrypts them using a key that’s stored in the firmware.

Once a password is decrypted, the threat actor can use it to install a web shell that allows the installation of additional malware.

As noted earlier, the vulnerabilities are serious. They not only give remote attackers the ability to spy on users, they also allow them to unlock doors. These vulnerabilities would almost certainly constitute regulatory violations for users in fields such as health care. E11 users should seriously consider replacing their devices, given the severity of the vulnerabilities and the failure by Akuvox to respond to multiple disclosure attempts by Claroty and the CERT organizations.

At a minimum, these devices should be segregated in a network that’s not accessible to the Internet. That will prevent users from having any ability to access the device over the Internet, which presumably is a major selling point, but it would still allow the device to be used inside a local network.