https://urgentcomm.com/wp-content/themes/ucm_child/assets/images/logo/footer-new-logo.png
  • Home
  • News
  • Multimedia
    • Back
    • Multimedia
    • Video
    • Podcasts
    • Galleries
    • IWCE’s Video Showcase
    • IWCE 2022 Winter Showcase
    • IWCE 2023 Pre-event Guide
  • Commentary
    • Back
    • Commentary
    • Urgent Matters
    • View From The Top
    • All Things IWCE
    • Legal Matters
  • Resources
    • Back
    • Resources
    • Webinars
    • White Papers
    • Reprints & Reuse
  • IWCE
    • Back
    • IWCE
    • Conference
    • Special Events
    • Exhibitor Listings
    • Premier Partners
    • Floor Plan
    • Exhibiting Information
    • Register for IWCE
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Terms of Service
    • Privacy Statement
    • Cookie Policy
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • Mission Critical Technologies
    • TU-Auto
  • In the field
    • Back
    • In the field
    • Broadband Push-to-X
    • Internet of Things
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Call Center/Command
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Network Tech
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Operations
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Regulations
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • Organizations
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
Urgent Communications
  • NEWSLETTER
  • Home
  • News
  • Multimedia
    • Back
    • Video
    • Podcasts
    • Omdia Crit Comms Circle Podcast
    • Galleries
    • IWCE’s Video Showcase
    • IWCE 2023 Pre-event Guide
    • IWCE 2022 Winter Showcase
  • Commentary
    • Back
    • All Things IWCE
    • Urgent Matters
    • View From The Top
    • Legal Matters
  • Resources
    • Back
    • Webinars
    • White Papers
    • Reprints & Reuse
    • UC eZines
    • Sponsored content
  • IWCE
    • Back
    • Conference
    • Why Attend
    • Exhibitor Listing
    • Floor Plan
    • Exhibiting Information
    • Join the Event Mailing List
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Terms of Service
    • Privacy Statement
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • TU-Auto
  • newsletter
  • In the field
    • Back
    • Internet of Things
    • Broadband Push-to-X
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Cybersecurity
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
acc.com

Cybersecurity


Partner content

Unpatched zero-day bugs in smart intercom allow remote eavesdropping

Unpatched zero-day bugs in smart intercom allow remote eavesdropping

  • Written by Nathan Eddy / Dark Reading
  • 11th March 2023

A popular smart intercom and videophone from Chinese company Akuvox, the E11, is riddled with more than a dozen vulnerabilities, including a critical bug that allows unauthenticated remote code execution (RCE).

These could allow malicious actors to access an organization’s network, steal photos or video captured by the device, control the camera and microphone, or even lock or unlock doors.

The vulnerabilities were discovered and highlighted by security firm Claroty’s Team82, which became aware of the device’s weaknesses when they moved into an office where the E11 had already been installed.

Members of Team82’s curiosity about the device turned into a full-blown investigation as they uncovered 13 vulnerabilities, which they divided into three categories based on the attack vector used.

The first two types can occur either through RCE within the local area network or remote activation of the E11’s camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector targets access to an external, insecure file transfer protocol (FTP) server, allowing the actor to download stored images and data.

A Critical RCE Bug in the Akuvox 311

As far as bugs that stand out the most, one critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

“The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs,” according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another vulnerability of note (CVE-2023-0348, with a CVSS score of 7.5) concerns the SmartPlus mobile app that iOS and Android users can download to interact with the E11.

The core issue lies in the app’s implementation of the open source Session Initiation Protocol (SIP) to enable communication between two or more participants over IP networks. The SIP server does not verify the authorization of SmartPlus users to connect to a particular E11, meaning any individual with the app installed can connect to any E11 connected to the Web — including those located behind a firewall.

To read the complete article, visit Dark Reading.

 

Tags: Alerting Systems Applications Companies Critical Infrastructure Cybersecurity Enterprise Federal Government/Military Internet of Things IoT/Smart X News Public Safety Security Software State & Local Government System Design System Installation System Operation Tracking, Monitoring & Control Partner content

Most Recent


  • Verizon officials highlight role of 5G tech for responders during IWCE keynote
    LAS VEGAS—As the public-safety sector continues to expand its use of data-intensive applications, developments in 5G can provide the low-latency, high-bandwidth connectivity to meet these needs, Verizon officials said yesterday during a keynote address at IWCE 2023. Bryan Schromsky, managing partner for Verizon’s public-sector unit, noted that the carrier plans to complete its deployment of […]
  • Day 3 of IWCE 2023 features the opening of the Expo Hall
    A small crowd gathered around a four-legged robot that shifted with lifelike movements, running forward onto the show floor of the 2023 IWCE exposition in Las Vegas, Nev. “It’s meant for public safety and inspection of infrastructure,” said Charlie Robb, chief revenue officer for Common Objects, which had outfitted the Boston Dynamics robot, Spot, with […]
  • Rescue 42 launches miniCRD deployable for FirstNet
    Rescue 42 yesterday announced the launch of its miniCRD (mCRD) for FirstNet, which provides much of the functionality of the company’s Compact Rapid Deployable at a much lower cost.and in an even more portable form factor—two ruggedized cases that are about the size of checked luggage. Rescue 42 CEO Tim O’Connell said the mCRD (pictured […]
  • IWCE 2023
    Safer Buildings Coalition conducts annual event at IWCE 2023
    A common theme ran through the Safer Buildings Coalition’s annual meeting Monday night during IWCE 2023 at the Las Vegas Convention Center—strength through collaboration. “The perception is that the challenge is ‘out there,’ and someday, maybe the challenge will come here,” said Billy Bob Brown Jr., executive assistant director for emergency communications within the Cybersecurity […]

Leave a comment Cancel reply

To leave a comment login with your Urgent Comms account:

Log in with your Urgent Comms account

Or alternatively provide your name, email address below:

Your email address will not be published. Required fields are marked *

Related Content

  • Ransomware's favorite target: Critical infrastructure and its industrial control systems
  • Will driverless cars need remote human supervision?
  • Verizon, AT&T, T-Mobile, and Dish have all been targets of hacks this year
  • Biden's cybersecurity strategy calls for software liability, tighter critical-infrastructure security

Commentary


Updated: How ‘sidelink’ peer-to-peer communications can enhance public-safety operations

  • 1
27th February 2023

NG911 needed to secure our communities and nation

24th February 2023

How 5G is making cities safer, smarter, and more efficient

26th January 2023
view all

Events


UC Ezines


IWCE 2019 Wrap Up

13th May 2019
view all

Twitter


UrgentComm

Gallery: The last day of IWCE 2023 dlvr.it/SllQKJ

30th March 2023
UrgentComm

Video: Opening of the Expo Hall on day three of IWCE 2023 dlvr.it/SlkyNy

30th March 2023
UrgentComm

Verizon officials highlight role of 5G tech for responders during IWCE keynote dlvr.it/Slkh9n

30th March 2023
UrgentComm

Day three of IWCE 2023 features the opening of the Expo Hall dlvr.it/Slhgvr

30th March 2023
UrgentComm

Gallery: The Expo Hall opens on day three of IWCE 2023 dlvr.it/SlhfPT

29th March 2023
UrgentComm

Rescue 42 launches miniCRD deployable for FirstNet dlvr.it/SlgdtY

29th March 2023
UrgentComm

RT @IWCEexpo: 📽️ More sights from Day 2 at #IWCE23. It's been a fantastic start so far... Thanks to you! Tomorrow is another awesome spea…

29th March 2023
UrgentComm

RT @IWCEexpo: Ildefonso De La Cruz Morales, Principal Analyst-Critical Communications @OmdiaHQ takes the stage and kicks off tonight’s Keyn…

29th March 2023

Newsletter

Sign up for UrgentComm’s newsletters to receive regular news and information updates about Communications and Technology.

Expert Commentary

Learn from experts about the latest technology in automation, machine-learning, big data and cybersecurity.

Business Media

Find the latest videos and media from the market leaders.

Media Kit and Advertising

Want to reach our digital and print audiences? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • American City & County
  • IWCE
  • Light Reading
  • IOT World Today
  • Mission Critical Technologies
  • TU-Auto

WORKING WITH US

  • About Us
  • Contact Us
  • Events
  • Careers

FOLLOW Urgent Comms ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.