A recent blog from Senrio detailed a new flaw called Devil's Ivy, found in an open source code library, that could be used to hijack security cameras and for other nefarious purposes.
The Devil's Ivy vulnerability, reported in a Senrio blog post Tuesday, could put millions of IoT devices at risk of attack. According to the post, Devil's Ivy affects devices that rely on the gSOAP toolkit for support.
The vulnerability is technically a stack buffer overflow bug, and it was found in a connected security camera made by Axis Communications. Devil's Ivy performs a remote code execution that allows an attacker to remotely access the video feed from the camera, or to shut it down, the post said.
One example of a real world attack could be for hackers to target connected cameras in the lobby of a bank. Accessing the feed, they could potentially view sensitive data as transactions take place, or they could shut the camera down before a heist, the post said.
SEE: Internet of Things policy template (Tech Pro Research)
The vulnerability is present in 249 camera models made by Axis Communications, the post said. But, because of the wide adoption of the gSOAP toolkit, it could be used to target other kinds of internet-connected devices as well.
Essentially, any software or device manufacturer that relies on gSOAP could be at risk, the post said, but the extent of their exploitation can't necessarily be quantified just yet. "Based on our research, servers are more likely to be exploited," the post said. "But clients can be vulnerable as well, if they receive a SOAP message from a malicious server."
Genivia, gSOAP's parent company, claims that the toolkit has been downloaded more than 1 million times. In the post, it was also noted that IBM, Microsoft, Adobe, and Xerox are all gSOAP customers, meaning that, if unpatched, some of these companies' products could eventually be affected.
Axis reported the vulnerability to Genivia, which issued a patch. In order to further protect devices, Senrio recommended that businesses keep physical security devices off of the public internet, defend IoT devices as much as possible, and patch when possible.
However, despite best efforts, the vulnerability might be around for a long time.
"We named the vulnerability Devil's Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse," the post said. "Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate."
The 3 big takeaways for TechRepublic readers
- A new vulnerability called Devil's Ivy could put millions of connected cameras, IoT devices, and servers at risk of attack.
- Devil's Ivy was found in the widely-adopted gSOAP toolkit, which has been downloaded more than 1 million times and claims customers like Microsoft and IBM.
- Security researchers recommend keeping physical devices off of the public internet, defending IoT initiatives, and patching when possible.
- How to become an IoT developer: 6 tips (TechRepublic)
- Millions of IoT devices hit by 'Devil's Ivy' bug in open source code library (ZDNet)
- Internet of Things: Five truths you need to know to succeed (TechRepublic)
- Internet of Things security: What happens when every device is smart and you don't even know it? (ZDNet)
- How blockchain could revolutionize IoT security (TechRepublic)