A series of vulnerabilities were recently discovered by a security research firm in a number of Axis IP-based cameras, which are used in Axon Interview deployments. Three of these vulnerabilities can be chained together and can result in attackers gaining full access and control over all aspects of the IP cameras. An attacker with this level of control could perform the following actions:
- Access to camera’s video stream
- Freeze the camera’s video stream
- Control the camera – move the lens to a desired point, turn motion detection on/off
- Add the camera to a botnet
- Alter the camera’s software
- Use the camera as an infiltration point for network (performing lateral movement)
- Render the camera useless
- Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)
No specific condition or operation is required to trigger the vulnerability. The overall risk is reduced, while still present, if the IP cameras are installed behind a firewall or on an isolated network without access to the Internet. An attacker must have network access to the camera to exploit the vulnerability. Cameras that are exposed and accessible from the Internet are at a much higher risk and require more immediate attention.
Scope of Impact
A number of Axis IP-based cameras are affected by this vulnerability. This includes the AXIS® F41 and AXIS P3364/P3374 cameras that are commonly installed by Axon. Devices that are NOT affected include AXIS P7701 and AXIS P8221 model cameras. A complete list of the camera models affected can be found in the Axis Security Advisory document.
Note: Only the third-party cameras used by Axon Interview are impacted by this vulnerability. The Axon Interview, Evidence.com, or Body/Flex/Fleet products are not impacted and do not require any additional actions.
A firmware fix for the vulnerability is currently available. All impacted cameras should be updated to the latest firmware version as soon as possible. If your agency's Axon Interview deployment contains of any of the affected cameras, you should pursue one of the following update options:
- Self-Supported Update: If your agency's IT department is comfortable performing the update themselves, the latest firmware version for the cameras can be downloaded at: https://www.axis.com/support/firmware. This will require registration through Axis and knowledge of the specific camera models deployed. The AXIS Camera Management application for Microsoft Windows may be downloaded to simplify and automate the firmware update process. The AXIS Camera Management application can be downloaded from the Axis website at: https://www.axis.com/products/axis-camera-management. Should your agency wish to perform the update manually, Axon Customer Service can provide detailed instructions.
- Axon Assisted Update: Axon is available to assist with the camera firmware updates, should your agency desire. To pursue this option, please contact Axon Technical Support at Support@Axon.com. This update will require temporary access to the agency network and will take each camera offline for approximately 10 minutes. The total time required to perform the updates depends on the number of cameras at your agency.
Note: Both update processes will force an immediate reboot of the camera. To prevent loss of video footage, ensure there are no active recording sessions in progress prior to updating the firmware.
Axis Security Advisory ACV-128401: https://www.axis.com/files/faq/Advisory_ACV-128401.pdf
Full list of affected Axis devices: https://www.axis.com/files/sales/ACV-128401_Affected_Product_List.pdf
Security researcher disclosure and technical deep-dive: https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/