As you probably know we perform research on a regular basis at ERNW. This post is the first entry on our – Benjamin’s and Pascal’s – research diary. You might already have seen Oliver’s post on setting up an research environment or Brian’s posts on IoT botnets (here and here). With that in mind we want to take a look at one of the market leaders for network camera equipment: AXIS.
At first we’d like to give a quick overview of our research objects. We bought two cameras, an AXIS M1033-W and an AXIS M3005-V. The M1033’s description states that it is for “small business, hotels, residences and more”. The M3005 has a typical dome design and was actually seen in some customer environments during projects this year.
According to market studies (e.g. this) Axis Communications was a market leader in 2013 and probably still is. As the cameras can be used without special, expensive software they can be used at a small scale, like having just a few in a shop. Of course they are also usable in large scale to put them in large buildings, public places (e.g. train stations), though in that case special software might be suitable to manage the video feeds from the cameras.
Oh, and if you’re curious if the two models are vulnerable to become part of the Mirai botnet: Mirai mainly focuses on open telnet services with default credentials. Both Axis cameras do not run telnet by default.
The feature set of the cameras are quite similar, but the M1033-W also has a WiFi-module, a microphone and a speaker. To setup the cameras they have to be put into a network (in the case of WiFi WPS is available), where the camera gets an IP-address via DHCP and broadcasts itself via UPnP.
Configuration can be done via a web interface. On the initial setup a password for the root user is prompted and the possibility to generate a self-signed SSL certificate is offered. Different network settings can be applied, like using DHCP or static IPs, setting IP filters, and so on. Also most services can be deactivated.
There are quite some nice features regarding the video feed. Alarms can be set when motion is detected or the tamper detection is triggered. Those alarms can be used to trigger a notification (e.g. via mail) or start recording. To access the stream one can use the browser or via RTSP. The camera can also be set up to transfer recordings directly to network shares.
First we scanned through the web interface and explored some features to get a feeling for what the cameras are able to do and possible use cases. We soon found this exploit which worked only on the M1033 so far, but popped a root shell. Awesome!
The cameras run a quite old Linux kernel version 2.6, which was released in August 2011 and is not maintained anymore. The latest stable release of the Boa webserver is from 2002.
When Pascal was creating his Axis user account he found that the Axis homepage seems to run entirely on plaintext HTTP and even the login and registration is transfered in plaintext.
As Axis seems to like plaintext of course the camera is accessed via unencrypted connection, not only the web interface, but also the RTSP. Still quite a nice fact to mention is that the cameras have a certificate store, so one can either put a self-signed certificate or a proper certificate signed by an CA in there and enable HTTPS. Actually we didn’t do that yet, but it might be interesting which other protocols are also (positively) influenced by that, like for example the RTSP stream. Apropos stream: the cameras are able to work with IPv6, although it is disabled by default. Still netstat shows mostly IPv4 addresses embedded into IPv6 addresses, which means IPv6 is running anyway. Might be interesting to take a deeper look there!
We also mentioned the working root shell exploit earlier, so if you use Axis Cameras it might be a good idea to update the firmware to the latest version, which contains a fix.
The last week most of the research was recon focused, so we didn’t work much on exploitation yet. It seems that the cameras run quite some old software, so this could yield some vulnerabilities.
Although the security level of the default configuration is not the best, the cameras contain quite some options to harden it down. Also if the cameras are run in a separate network segment with no external access it might be quite hard to reach them at all.
Benjamin & Pascal