There’s been another wake-up call concerning our old friend the internet of things. As usual, it comes in the form of yet another security vulnerability in the wild. Although the amount of damage this one can do remains uncertain, we know it affects an extremely large number of devices, and at the very least can be used to disable security cameras from one affected company.
Ultimately, the amount of damage it will cause will depend on whether users of affected products are implementing best security practices when it comes to connected devices. This includes not only keeping devices patched — if possible — but other actions such as keeping IoT security devices protected behinds firewalls.
The vulnerability — called Devil’s Ivy or CVE-2017-9765 — was made public last week by Senrio, a company that specializes in IoT security. It initially found the bug in the M3004 model security camera marketed by Axis Communications, but further research found that 249 of Axis’s 251 surveillance camera models are affected.
Although that’s of lot of devices, it’s only the tip of the iceberg, as the problem isn’t with code that’s native to Axis products but is in gSOAP, an open source web services library that’s used by many developers. Media outlets are reporting that 34 companies use gSOAP — a list that includes Microsoft, IBM, Xerox and Adobe.
That number is based on membership in the ONVIF Forum, the unofficial international consortium of hardware vendors that originated the code. However, because gSOAP is freely available for download, the number is probably much larger. Genivia, the company that manages it, claims more than a million total downloads, and code repository Sourceforge shows over 30,000 downloads from its site since the beginning of the year.
“We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse,” said Senrio in its advisory.
The flaw affects versions 2.7 through 2.8.47, with version 2.8.48 containing the fix, However, due to the shear number of affected devices and the fact that many IoT devices are designed in a way that makes applying patches difficult if not impossible, some devices may remain vulnerable for something akin to forever.
“Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate,” explained Senrio.
In addition to IoT devices, the vulnerability affects some Linux distributions as well, with Red Hat, Debian, Ubuntu and SUSE all posting security advisories.
The vulnerability takes advantage of another old friend — the stack buffer overflow.
“In the case of this camera, in order to exploit the vulnerability you would need to send a malicious payload to port 80,” M Carlton, Senrio’s vice president of research, told the website Threatpost. “The camera then processes the data using the vulnerable library. The attacker then sends the specially crafted payload that triggers the buffer stack overflow which leads to custom code execution.”
With the Axis cameras, after exploiting the vulnerability, Senrio researchers could reboot a device and change settings to block access to the video feed. More disturbingly, a device could also be reset to factory defaults, which would cause it to issue a prompt to change the user name and password, after which attackers would have complete control of the device. In other words, tech savvy thieves could use this exploit to turn off security cameras before pulling off a heist, and security personnel wouldn’t be able to quickly get the cameras back up and running.
Senrio notified Axis and Genivia of the exploit in May and waited for patches to be deployed before going public. Axis has patched the firmware for all its affected products and advises users to apply the patches, along with other recommendations.
Although many media outlets have been quick to blame the open source practice of code reuse on the scope of this exploit, that ignores the core issue. The real problem is the lack of standards — especially when it comes to security — for IoT devices. Until this issue is addressed, IoT will continue to be plagued with security scare after security scare. And when IoT is threatened, so is everyone else who depends on the internet.