Flaw in third party code may impact millions of IoT devices, claims agency

Portland, Oregon, July 20, 2017: There’s a new flaw detected in a piece of code related to the Internet of Things (IoT) devices which could be potentially exploited, according to a security firm.

On Tuesday, the IoT-focused security firm Senrio revealed a hackable flaw, calling it ‘Devil’s Ivy,’ a vulnerability in a piece of code called gSOAP widely used in physical security products. Faraway attackers could exploit this flaw to fully disable or take over thousands of models of Internet-connected devices from security cameras to sensors to access-card readers.

According to a post on its official blog, Senrio has said:

Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security Web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport.

After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.

Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.

 

The impact of Devil’s Ivy goes far beyond Axis, claims the Senrio team. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP  (Simple Object Access Protocol). gSOAP is a widely used Web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on its research, Senrio said servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server.

To help understand the magnitude and reach of this vulnerability, we turned to Genivia,  the company that manages gSOAP. Genivia claims to have more than 1M downloads of gSOAP (most likely developers), and IBM, Microsoft, Adobe and Xerox as customers. On Sourceforge gSOAP was downloaded more than one thousand times in one week, and to-date, 30,000 times in 2017. Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines.

In addition, Axis is one of thousands of companies that are part of the ONVIF forum, an organization responsible maintaining software and networking protocols that are general purpose enough for a variety of companies to use in a wide range of physical security products. The forum relies on SOAP to support the ONVIF specifications, and approximately 6% of the forum members use gSOAP.

It is likely that tens of millions of products — software products and connected devices — are affected by Devil’s Ivy to some degree.

Axis immediately informed Genivia, the company behind gSOAP,  who released a patch. Axis also reached out to ONVIF to ensure all members of the forum are aware of the issue, and can move swiftly to develop a fix if they use gSOAP.

Here’s what being recommended:

1. Keep physical security devices off of the public internet. As of July 1st, a search of Shodan indicated over 14,700 Axis dome cameras publicly accessible to anyone in the world.  All the cameras that are vulnerable to Devil’s Ivy are potentially exploitable. Devices like security cameras should be connected to a private network, which will make exploitation much more difficult.

2. Defend IoT devices as much as possible. If you can place a firewall or other defensive mechanism in front of an IoT device, or utilise Network Address Translation (NAT), you can reduce their exposure and improve the likelihood of detecting threats against them.

3. Patch. Patching IoT devices is not always possible, even when the underlying OS is something familiar, like Windows XP. When a manufacturer does release a patch, make sure you update your devices as soon as possible. If this is not within your control, place other layers of security between your vulnerable device and the external Internet.

Image Credit: Senrio
Click here to opt out of Google Analytics