The Akuvox E11 Combo Video Door Phone, Intercom And Security Nightmare
A Baker’s Dozen Of Flaws In One Small Package
The Akuvox E11 sounds like an interesting door camera as it has the ability to opens doors, capture live video and audio, snap a picture of anyone walking by and creates a logs of entries and exits in real time. All that power in a small IoT device would be handy, assuming that it was also well secured to prevent unauthorized usage. Sadly, it is a security nightmare and the 13 flaws revealed in this article are bad enough you should probably go unplug it before reading on.
Several of the features do not require proper authentication and there are also hardcoded keys that are encrypted using accessible keys. The still pictures it captures are uploaded to an unencrypted FTP into a directory that anyone can view and download from. It was also discovered there were ways around authenticating when accessing via a web interface, from which you could control most of the features. As if that wasn’t bad enough, the phone app that talks to the Akuvox E11 can be leveraged in the same way.
Akuvox, the company which made this security nightmare has not responded to multiple attempts by Claroty and the CERT organizations to reach them, so if you have an Akuvox E11 or know someone that does, turn it off and don’t turn it back on again!
The findings are serious enough that anyone who uses one of these devices in a home or building should pause reading this article, disconnect their E11 from the Internet, and assess where to go from there.
More Tech News From Around The Web
- The Finals heads into closed beta, and you can smash its destructible environments right now @ Rock, Paper, SHOTGUN
- A more powerful Steam Deck is “a few years” off, Valve says @ Ars Technica
- SonicWall devices infected by malware that survives firmware upgrades @ Bleeping Computer
- AmigaOS 3.2.2 released for those feeling nostalgic @ The Register
- Bitwarden flaw can let hackers steal passwords using iframes @ Bleeping Computer
- Microsoft’s scythe hovers over RPS for Exchange Online @ The Register
- AT&T alerts 9 million customers of data breach after vendor hack @ Bleeping Computer
- Google Groups Has Been Left To Die @ Slashdot
- Get ready for a flood of self-published games on the Epic Games Store @ Ars Technica
- Canada’s Tax Revenue Agency Tries To ToS Itself Out of Hacking Liability @ Slashdot
- Windows Insider Dev Channel flies again as very flighty Canary Channel @ The Register