Unpatched zero-day bugs in smart intercom allow remote eavesdropping

A popular smart intercom and videophone from Chinese company Akuvox, the E11, is riddled with more than a dozen vulnerabilities, including a critical bug that allows unauthenticated remote code execution (RCE).

These could allow malicious actors to access an organization’s network, steal photos or video captured by the device, control the camera and microphone, or even lock or unlock doors.

The vulnerabilities were discovered and highlighted by security firm Claroty’s Team82, which became aware of the device’s weaknesses when they moved into an office where the E11 had already been installed.

Members of Team82’s curiosity about the device turned into a full-blown investigation as they uncovered 13 vulnerabilities, which they divided into three categories based on the attack vector used.

The first two types can occur either through RCE within the local area network or remote activation of the E11’s camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector targets access to an external, insecure file transfer protocol (FTP) server, allowing the actor to download stored images and data.

A Critical RCE Bug in the Akuvox 311

As far as bugs that stand out the most, one critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

“The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs,” according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another vulnerability of note (CVE-2023-0348, with a CVSS score of 7.5) concerns the SmartPlus mobile app that iOS and Android users can download to interact with the E11.

The core issue lies in the app’s implementation of the open source Session Initiation Protocol (SIP) to enable communication between two or more participants over IP networks. The SIP server does not verify the authorization of SmartPlus users to connect to a particular E11, meaning any individual with the app installed can connect to any E11 connected to the Web — including those located behind a firewall.

To read the complete article, visit Dark Reading.