More than a dozen security flaws have been disclosed in E11, a smart intercom product made by Chinese company Akuvox.
“The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold,” Claroty security researcher Vera Mens said in a technical write-up.
Akuvox E11 is described by the company on its website as a “SIP [Session Initiation Protocol] video doorphone specially designed for villas, houses, and apartments.”
The findings have also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an Industrial Control Systems (ICS) advisory of its own last week.
“Successful exploitation of these vulnerabilities could cause loss of sensitive information, unauthorized access, and grant full administrative control to an attacker,” the agency cautioned.
In the absence of patches, organizations using the doorphone are advised to disconnect it from the internet until the vulnerabilities are fixed to mitigate potential remote attacks.
It’s also advised to change the default password used to secure the web interface and “segment and isolate the Akuvox device from the rest of the enterprise network” to prevent lateral movement attacks.
Source: thehackernews.com