The Akuvox E11 is billed as a video door phone, but it’s actually much more than that. The network-connected device opens building doors, provides live video and microphone feeds, takes a picture and uploads it each time someone walks by, and logs each entry and exit in real time. The Censys device search engine shows that roughly 5,000 such devices are exposed to the Internet, but there are likely many more that Censys can’t see for various reasons.
It turns out that this omnipotent, all-knowing device is riddled with holes that provide multiple avenues for putting sensitive data and powerful capabilities into the hands of threat actors who take the time to analyze its inner workings. That’s precisely what researchers from security firm Claroty did. The findings are serious enough that anyone who uses one of these devices in a home or building should pause reading this article, disconnect their E11 from the Internet, and assess where to go from there.
The 13 vulnerabilities found by Claroty include a missing authentication for critical functions, missing or improper authorization, hard-coded keys that are encrypted using accessible rather than cryptographically hashed keys, and the exposure of sensitive information to unauthorized users. As bad as the vulnerabilities are, their threat is made worse by the failure of Akuvox—a China-based leading supplier of smart intercom and door entry systems—to respond to multiple messages from Claroty, the CERT coordination Center, and Cybersecurity and Infrastructure Security Agency over a span of six weeks. Claroty and CISA publicly published their findings on Thursday here and here.
All but one of the vulnerabilities remain unfixed. Akuvox representatives didn’t respond to two emails seeking comment for this article.
WTF is this device doing in my office?
Claroty researchers first stumbled on the E11 when they moved into an office with one preinstalled at the door. Given its access to the comings and goings of employees and visitors and its ability to spy and open doors in real time, they decided to look under the hood. The first red flag the researchers found: Images taken each time motion was detected at the door were sent by unencrypted FTP to an Akuvox server in a directory that anyone could view and, from there, download images sent by other customers.
Android and iOS. It allows remote access even when an E11 isn’t directly exposed to the Internet but is instead behind a firewall using network address translation.
SmartPlus communicates with the intercom using the session initiation protocol, an open standard used for real-time communications such as voice and video calls, instant messaging, and games.