‘Devils Ivy’ Could be Used to Intercept, Shut Down Video Feeds
An investigation into a single IP security camera has unfolded into yet another worrying finding in the land of the internet of things. A software vulnerability in an obscure but widely used code library can be exploited to remotely hijack a video feed or simply shut IP cameras down.
See Also: Spear Phishing, Identity Deception, Ransomware: How to Predict the Future of Crime
The finding comes from Senrio, a Portland, Oregon-based cybersecurity company that specializes in IoT. Senrio says the vulnerability, a buffer overflow, could be present in tens of millions of software products or other connected devices.
Senrio investigated a model M3004 security camera made by Sweden-based Axis Communications. That camera, as well as 249 other models in Axis’s line of products, use an open-source software library called gSOAP.
gSOAP is a toolkit for implementing XML-based web services into applications. It’s widely used by application developers at Fortune 500 companies, including IBM, Microsoft, Adobe and Xerox.
Senrio dubbed the buffer overflow “Devil’s Ivy.” The flaw has been patched, and Axis has updated its devices, but there are questions as to whether all devices and applications created by dozens of organizations that employ the gSOAP library will be fixed.
Senrio posted a video of the exploit and a detailed technical writeup.
At least as far as IP cameras, “when exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” according to Senrio’s post. “Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”
Because gSOAP is widely used, the impacts probably go well beyond Axis.
“It is likely that tens of millions of products – software products and connected devices – are affected by Devil’s Ivy to some degree,” Senrio writes.
Axis is just one of hundreds of members of the ONVIF forum, an industry group that develops standard interfaces for IP-based physical security products. Senrio says that SOAP – short for Simple Object Access Protocol – is used to support the forum’s specifications. Six percent of the forum’s members use gSOAP, Senrio says.
Software tool developer Genivia issued a patch for the flaw on June 21. Exploiting the flaw is challenging: An attacker would have to supply an XML message that is more than 2 gigabytes to trigger the flaw, a quite voluminous stream of data traffic, according to Genivia’s patch alert.
“Fortunately, the overflowing data after 2GB is cleaned up in the buffer, which means that the chances of exploiting this flaw by injecting code is significantly reduced in gSOAP versions affected,” Genivia writes.
Senrio’s findings underscore a persistent concern: that a vulnerability in a code library used in many products by many organizations poses long-term risks, even long after a patch has been issued.
This scenario played out earlier with Heartbleed, the vulnerability in the OpenSSL cryptographic library. Although the issue was quickly patched, unpatched systems are still found (see Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable).
Although it’s impossible to predict in what product or code the next flaw will be found, administrators can take steps to at least reduce their IoT exposure if a flaw comes to light.
As with many IoT devices, being reachable from the public internet is often the first problem when it comes to defending against new vulnerabilities. Senrio says that using the Shodan search engine, it found 14,000 cameras made by Axis that are exposed to the internet.
The best advice is to ensure devices such as cameras are on their own private networks or at least behind a firewall.
“If you can place a firewall or other defensive mechanism in front of an IoT device, or utilize Network Address Translation, you can reduce their exposure and improve the likelihood of detecting threats against them,” Senrio says.