The Akuvox E11 is billed as a video door phone, but it’s actually much more than that. The network-connected device opens building doors, provides live video and microphone feeds, takes a picture and uploads it each time someone walks by, and logs each entry and exit in real time. The Censys device search engine shows that roughly 5,000 such devices are exposed to the Internet, but there are likely many more that Censys can’t see for various reasons.
It turns out that this omnipotent, all-knowing device is riddled with holes that provide multiple avenues for putting sensitive data and powerful capabilities into the hands of threat actors who take the time to analyze its inner workings. That’s precisely what researchers from security firm Claroty did. The findings are serious enough that anyone who uses one of these devices in a home or building should pause reading this article, disconnect their E11 from the Internet, and assess where to go from there.
The 13 vulnerabilities found by Claroty include a missing authentication for critical functions, missing or improper authorization, hard-coded keys that are encrypted using accessible rather than cryptographically hashed keys, and the exposure of sensitive information to unauthorized users. As bad as the vulnerabilities are, their threat is made worse by the failure of Akuvox—a China-based leading supplier of smart intercom and door entry systems—to respond to multiple messages from Claroty, the CERT coordination Center, and Cybersecurity and Infrastructure Security Agency over a span of six weeks. Claroty and CISA publicly published their findings on Thursday here and here.
All but one of the vulnerabilities remain unfixed. Akuvox representatives didn’t respond to two emails seeking comment for this article.
WTF is this device doing in my office?
Claroty researchers first stumbled on the E11 when they moved into an office with one preinstalled at the door. Given its access to the comings and goings of employees and visitors and its ability to spy and open doors in real time, they decided to look under the hood. The first red flag the researchers found: Images taken each time motion was detected at the door were sent by unencrypted FTP to an Akuvox server in a directory that anyone could view and, from there, download images sent by other customers.
“We were very surprised when we started and we saw the FTP,” Amir Preminger, VP of research in Claroty’s Team82 research group, said in an interview. “We never imagined to find an FTP out in the clear. We blocked the device first, cut it off from everything, put it on its own island, and use it as a standalone. We’re in the process of replacing it.”
While the analysis continued, the behavior of the FTP server changed. The directory can no longer be viewed, so presumably it can no longer be downloaded, either. A significant threat continues to exist, however, since FTP uploads aren’t encrypted. That means anyone able to monitor the connection between an E11 and Akuvox can intercept uploads.
Another major find by the researchers was a flaw in the interface that allows the owner to use a web browser to log in to the device, control it, and access live feeds. While the interface requires credentials for access, Claroty found hidden routes that gave access to some of the web functions without a password. The vulnerability, tracked as CVE-2023-0354, works against devices that are exposed to the Internet using a static IP address. Users do this to connect to the device remotely using a browser.
That’s not the only vulnerability that allows unauthorized remote access to an E11. The device also works with a phone app called SmartPlus that’s available for Android and iOS. It allows remote access even when an E11 isn’t directly exposed to the Internet but is instead behind a firewall using network address translation.
SmartPlus communicates with the intercom using the session initiation protocol, an open standard used for real-time communications such as voice and video calls, instant messaging, and games.