iconimage - Fotolia

Devil’s Ivy a call to action on IoT security

The discovery of a security flaw in an open source third-party code library that could allow attackers to access and hijack devices underlines the need for a greater focus IoT security, say experts

Researchers investigating security cameras made by Axis Communications have discovered a stack buffer overflow vulnerability, which they’ve dubbed Devil’s Ivy.

The researchers at security firm Senrio found that the vulnerability could be exploited by attackers to access a video feed remotely or deny the owner access to the feed. 

“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded,” the researchers wrote in blog post.

Although Axis has issued security patches for 249 camera models affected, the security researchers say the impact of Devil’s Ivy goes far beyond Axis because it lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol).

The gSOAP protocol is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet, the researchers said. 

Devil’s Ivy affects all gSOAP devices 

Although it is difficult to determine the extent to which devices using gSOAP can be exploited, the researchers said all software or device manufacturers that rely on gSOAP to support their services are affected by Devil’s Ivy.

Genivia, the company that manages gSOAP, claims to have more than one million downloads of gSOAP, with IBM, Microsoft, Adobe and Xerox listed as customers.

Axis Communications is one of thousands of companies that are part of the Onvif developer forum, which is responsible for standardising IP connectivity for physical security products and relies on SOAP to support the Onvif specifications. Approximately 6% of the forum members use gSOAP.

“It is likely that tens of millions of products – software products and connected devices – are affected by Devil’s Ivy to some degree,” the Senrio researchers said.

“It is likely that tens of millions of products are affected by Devil’s Ivy to some degree”
Senrio researchers

Although servers are more likely to be exploited, research shows that clients can be vulnerable if they receive a SOAP message from a malicious server.

In addition to the camera security patches issued by Axis, Genivia has released a patch and Onvif is alerting its members so they can move swiftly to develop a fix if they use gSOAP. 

Senrio recommends that organisations defend internet of things (IoT) devices as much as possible by placing a firewall or other defensive mechanism in front of the devices or using network address translation (NAT) to reduce exposure and improve the likelihood of detecting threats.

Although it recognises that patching IoT devices is not always possible, Senrio also recommends that organisations update devices as soon as possible when a manufacturer releases a patch, but if this is not possible, it recommends placing other layers of security between a vulnerable device and the external internet.

Devil’s Ivy spreading fast

The researchers said they chose the name Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code re-use. Its source in a third-party toolkit downloaded millions of times means it has spread to thousands of devices and will be difficult to entirely eliminate.

Chris Schmidt, senior manager of research at Synopsys, said pervasive vulnerabilities in third-party libraries are a well-understood problem that security experts and software engineers need to work together to resolve.

“Software will depend more and more on code re-use and third-party libraries and frameworks,” he said.

According to Schmidt, the use of immature code is compounded when applications inherit the risks, bugs and flaws that exist across purpose-built libraries developers have imported to support the capabilities they require for an application.

“The rate at which new libraries are created and posted online exceeds our ability to provide adequate review of them, and adoption of the latest technology can happen in hours based on word-of-mouth from social networks like Twitter,” he said.

“The still prevalent lack of vulnerability identification and weak authentication by device manufacturers means we potentially face decades of problems”
Mike Ahmadi, Synopsys

Organisations can help temper these types of pervasive security issues, said Schmidt, by enforcing policies that require verification and independent review of third-party code before it’s used. “However this generally doesn’t scale and severely limits the ability of engineers to innovate at a competitive speed,” he added.

Mike Ahmadi, global director of critical systems security at Synopsys, said: “We are now bearing witness to a world where mass-produced IoT devices lack any reasonable programme for vulnerability identification and management. This, coupled with weak authentication, means that many of these devices are just waiting for their turn to become victims of the ‘hack of the week’ club. 

“We have managed to work our way into a hole, and it is going to get a lot worse before it gets better. The still prevalent lack of vulnerability identification and weak authentication by device manufacturers means we potentially face decades of problems. I hate to paint a grim picture, but hopefully it will cause organisations to dedicate more resources towards proactively addressing these issues.”

Read more about IoT security

Read more on Hackers and cybercrime prevention