A popular smart intercom and videophone from Chinese company Akuvox, the E11, is riddled with more than a dozen vulnerabilities, including a critical bug that allows unauthenticated remote code execution (RCE). Security firm Claroty's Team82 discovered 13 vulnerabilities, which could allow malicious actors to access an organization's network, steal photos or video captured by the device, control the camera and microphone, or even lock or unlock doors.
The most critical threat, CVE-2023-0354, with a CVSS score of 9.1, allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information. "The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA). Another vulnerability of note (CVE-2023-0348, with a CVSS score of 7.5) concerns the SmartPlus mobile app that iOS and Android users can download to interact with the E11. The core issue lies in the app's implementation of the open source Session Initiation Protocol (SIP) to enable communication between two or more participants over IP networks. "We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."
Organizations using the E11 are advised to disconnect it from the Internet until the vulnerabilities are fixed, or to otherwise ensure the camera is not capable of recording sensitive information. Within the local area network, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network," according to the Claroty report. "Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."