OrwellLabs just released a POC on how to hack Axis certain cameras and video servers (h.t. Gavin Millard). This is just a few days after I received a marketing email from Axis (the July 2016 Axis ADP eNewsletter), containing this verbiage.
Service release for critical security vulnerability
Recently, a critical security vulnerability was discovered in some of Axis’ products that are accessible from the Internet. We have now published firmware service releases for the majority of our products; see http://www.axis.com/support/product-security. Axis recommends users to update the affected products’ firmware as soon as possible, especially if the products are accessible from the Internet.
The very same email contains this message
Taking responsibilityCEO Ray Mauritsson comments on privacy, business ethics, the Axis code of conduct, and how we – together with our partners – are working to create a smarter, safer world
Axis did put out a press release on the 6th of July 2016 about the vulnerability on their security page (about 9 months after Axis was notified by Orwelllabs). But honestly, how many owners of the affected devices will go there? How many owners of the affected devices will get an email about this sort of thing? Even if they do, they have to visit a link to determine the severity. I don’t know if issuing a press release 9 months later, that your company’s cameras may become part of a botnet army is “taking responsibility”. I know it is not uncommon for companies to behave this way, but that doesn’t make it right.
For all intents and purposes, the impact of this bug is not that big. The vast majority of sensible users will not expose their CCTV system directly to the internet. Your camera may access the internet – outbound – to send notifications etc. but that will not make you vulnerable. To be vulnerable, you need to map a port on your firewall to your camera, so that you can see the camera web-interface from a public IP address.
But there are a minority of users who will, and who do this sort of thing. And even if it is the minority, they can do a lot of damage to others (by participating in botnets), and obviously to themselves too (paying $$$ for a useless/dangerous device).
It’s depressing because Axis does a lot of things to improve security : no default passwords is a pain in the ass, but it does make things a little more secure (only just a little because people will put in 12346, pass, or something similar).