Akuvox E11 video door phone and doorlock is incredibly insecure
US,
If you or your business are using the Akuvox E11 (video door phone and doorlock), disconnect it from the Internet right away.
"...anyone with the app installed can connect to any E11 that’s connected to the Internet [and] can view and listen to video and audio in real time. ...the vulnerabilities are serious. They not only give remote attackers the ability to spy on users, they also allow them to unlock doors. ..."
The Akuvox E11 is billed as a video door phone, but it’s actually much more than that. The network-connected device opens building doors, provides live video and microphone feeds, takes a picture and uploads it each time someone walks by, and logs each entry and exit in real time. The Censys device search engine shows that roughly 5,000 such devices are exposed to the Internet, but there are likely many more that Censys can’t see for various reasons.
It turns out that this omnipotent, all-knowing device is riddled with holes that provide multiple avenues for putting sensitive data and powerful capabilities into the hands of threat actors who take the time to analyze its inner workings. That’s precisely what researchers from security firm Claroty did. The findings are serious enough that anyone who uses one of these devices in a home or building should pause reading this article, disconnect their E11 from the Internet, and assess where to go from there.
The 13 vulnerabilities found by Claroty include a missing authentication for critical functions, missing or improper authorization, hard-coded keys that are encrypted using accessible rather than cryptographically hashed keys, and the exposure of sensitive information to unauthorized users. As bad as the vulnerabilities are, their threat is made worse by the failure of Akuvox—a China-based leading supplier of smart intercom and door entry systems—to respond to multiple messages from Claroty, the CERT coordination Center, and Cybersecurity and Infrastructure Security Agency over a span of six weeks.
https://arstechnica.com/information-technology/2023/03/go-ahead-and-unplug-this-door-device-before-reading-youll-thank-us-later/
