New Axis Operating System Security Research Aided By Transparent Design
Security through darkness
In a recent blog post, we disclosed a new remote code execution vulnerability affecting the N48PBB, a popular network video recorder (NVR) made by Annke.2 During this scan, we got the first clue that there was a vulnerability when, while scrambling the HTTP endpoints, we managed to restart the device on its own after sending a very large payload.
However, in order to precisely sort and validate the vulnerability, a significant effort had to be applied:
- The device allowed on-demand access via SSH, but only to a restricted shell which was found to be unnecessary for debugging purposes;
- No firmware was available for our analysis;
- When we managed to gain access to the firmware, it turned out to be encrypted.
Indeed, all these countermeasures caused the analysis to take longer than expected. This can create a sense of security, as attackers, in order to create and fine-tune attack payloads, must invest a substantial effort to reverse obfuscation steps and gain full access to the device.
However, it should be emphasized that this has no effect on the presence or absence of vulnerabilities in the product, whether or not someone finds them out.
Additionally, a side effect is that security researchers and asset owners both have to invest the same effort in responsibly finding and disclosing bugs to the vendor, to the point that some might decide to abandon the review and retain a product in their network with an unknown security status.
The Axis Companion Recorder
Continuing our research on IP video surveillance systems, we decided to investigate the security of a long-standing manufacturer of IP video surveillance equipment, namely Axis Communications.3 To do this, we purchased an Axis companion recorder, a compact NVR capable of supporting up to 8 PoE IP cameras directly connected to it. For more information about NVRs, please refer to our previous blog,2 containing a detailed description of their operation as well as their safety.
Immediately after setting up the device, the transparent approach taken by Axis is evident.
First of all, the device allows out-of-the-box and unlimited remote access through the SSH service, which can be enabled through the web interface.