As the world becomes more and more interconnected, the internet of things (IoT) has taken off in recent years. The interconnectedness of devices has made life more convenient in many ways but has also opened up new security vulnerabilities. Recently, more than a dozen security flaws were disclosed in the E11, a smart intercom product made by Chinese company Akuvox.
The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device's camera and microphone, steal video and images, or gain a network foothold, as Claroty security researcher Vera Mens said in a technical write-up. The most severe of the issues are as follows - A majority of the 13 security issues remain unpatched to date, with the industrial and IoT security company noting that Akuvox has since addressed the FTP server permissions issue by disabling the "the ability to list its content so malicious actors could not enumerate files anymore."
The attacks can manifest either through remote code execution within the local area network (LAN) or remote activation of the E11's camera and microphone, allowing the adversary to collect and exfiltrate multimedia recordings. A third attack vector takes advantage of an external, insecure file transfer protocol (FTP) server to download stored images and data.
The Akuvox E11 is described by the company on its website as a "SIP [Session Initiation Protocol] video doorphone specially designed for villas, houses, and apartments." The product listing, however, has been taken down from the website, displaying an error message: "Page does not exist." A snapshot captured by Google shows that the page was live as recently as March 12, 2023, 05:59:51 GMT.
As the number of devices connected to the internet continues to grow, it is important to be aware of the potential security risks. When considering purchasing a new IoT device, be sure to do your research to ensure that the company takes security seriously.