In today's interconnected world, security in video surveillance systems is more critical than ever. These systems, which monitor and protect assets and individuals, must remain robust against potential cyber threats. Ensuring the security of video surveillance involves protecting against unauthorized access, data breaches, and other vulnerabilities that could compromise the integrity and confidentiality of surveillance footage.
Nozomi Networks Labs has uncovered and responsibly disclosed six vulnerabilities affecting the Johnson Controls International (JCI) exacqVision Web Service application. Collaboration with JCI led to the resolution of all identified issues. This partnership highlights the importance of cooperation in the cybersecurity landscape. Timely communication and joint efforts can significantly mitigate risks and protect critical infrastructure.
This blog details the identified security vulnerabilities, explores their possible repercussions, and outlines recommended mitigation strategies. Nozomi Networks customers can find updated protections in our Threat Intelligence feed to effectively address these threats. Please refer to the section below titled “Vulnerability List and Affected Versions” for a comprehensive list of vulnerable targets.
Research Scope
Through its acquisition of Tyco in 2015, JCI is a prominent provider of video surveillance solutions through its Exacq division. Known for their exacqVision Video Management System (VMS), JCI's offerings include sophisticated network video recorders (NVRs), versatile video management software, and cutting-edge analytics. These products are designed for seamless integration with thousands of camera models and numerous access control systems, ensuring comprehensive security and operational efficiency for diverse applications.
The exacqVision Web Service (Figure 1) is a service exposing a web user interface that allows operators to remotely monitor and manage their video-surveillance systems. The application consists of an HTTP interface acting as front-end for the exacqVision Server where video streams from multi-vendor cameras can be configured to receive real-time data.
The exacqVision Web Service is pre-installed on all exacqVision A Series and Z Series systems. It can also be installed on exacqVision ELX Series systems. Using an ordinary web browser, it is possible to access the web interface from multiple devices as shown in Figure 2.
What Are the Impacts of These Vulnerabilities?
From our analysis of the exacqVision Web Service, we identified six vulnerabilities that can be combined to maximize the impact. By exploiting these issues, the following examples explain the types of attack scenarios that could be enacted:
- Hijacking a video stream: Attackers can take control of the video streams from surveillance cameras connected to the exacqVision Web Service. This enables them to view, manipulate, or block real-time video feeds, compromising the integrity and reliability of surveillance operations. Such an attack could be used to cover criminal activities, disrupt security monitoring, or exfiltrate sensitive visual data. This scenario is further examined in the Vulnerability Spotlight section below.
- Stealing administrative access information and bypassing authentication: Attackers can exploit an insecure Cross-Origin Resource Sharing (CORS) configuration to intercept and steal sensitive access credentials, such as the authentication token. An improperly configured CORS policy can allow malicious websites to make unauthorized requests to the exacqVision Web Service, gaining access to authentication tokens and other sensitive data. Once these credentials are compromised, attackers capable of interacting with the exacqVision Web Service can bypass the standard authentication mechanisms, effectively gaining unauthorized entry into the system.
Vulnerability List and Affected Versions
The following table lists all vulnerabilities found on the exacqVision Web Service, ordered by CVSS v3.1 base score. All products up to version 24.03 are affected by the issues.
Vulnerability Spotlight
We created a proof of concept (PoC) to illustrate the impact of the discovered vulnerabilities. This PoC demonstrates how it is possible to hijack the video stream by injecting arbitrary content over the RTSP protocol. As a result, the user interface displays an image that is different from what the security camera is actually recording.
The initial network configuration is shown in Figure 3, where an exacqVision device is receiving a real-time stream from a third-party security camera (in this case, a popular Axis camera).
The video stream received by the exacqVision device is then transmitted to a third-party application, as shown in Figure 4.
Exploiting the lack of certificate validation, an attacker who gains access to the internal company network could attempt a Man-in-the-Middle (MitM) attack. This would allow them to interrupt the secure RTSP session between the camera and the monitoring system and inject a fake RTSP stream, as illustrated in Figure 5.
The result of the attack is shown in Figure 6, where the original video stream has been replaced with a custom one. In our case, to make the attack particularly noticeable, a well-known music video has been injected. However, malicious users could replay a loop of the previous room's image, effectively creating a blind spot in the surveillance system. This technique, often dramatized in spy movies, would make it impossible for security personnel to notice any unauthorized activities or intrusions. The false feed not only hides the physical presence of the attackers but also any evidence of tampering or theft, significantly delaying detection and response.
Remediation
To remediate these vulnerabilities, it is essential to update to 24.06 of exacqVision Web Service, released by Johnson Controls International (JCI). This updated version includes critical security patches developed through a collaborative effort between JCI and Nozomi Networks. These patches address the identified weaknesses, ensuring that the system is protected against potential exploits. By upgrading to the latest version, users can safeguard their network and devices from unauthorized access and maintain the integrity of their video streams. It is highly recommended to implement this update promptly to enhance the security and reliability of the exacqVision system.