Senrio researchers recently uncovered a stack buffer overflow vulnerability in the open source third-party toolkit gSOAP, which is used in millions of IoT devices — the researchers first uncovered the flaw in an Axis Communications M3004 security camera.
“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” they wrote. “Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”
“In the case of this camera, in order to exploit the vulnerability you would need to send a malicious payload to port 80,” Senrio vice president of research M. Carlton told Kaspersky Lab. “The camera then processes the data using the vulnerable library. The attacker then sends the specially crafted payload that triggers the buffer stack overflow which leads to customer code execution.”
Senrio is calling the vulnerability “Devil’s Ivy” because, like the plant, it spreads quickly and is almost impossible to kill. “Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate,” the researchers wrote.
Axis says Devil’s Ivy is present in 249 of its camera models — the company has released updated firmware, and is urging its partners and customers to upgrade.
Tens of Millions of Products
Genevia, the company that manages the gSOAP toolkit, boasts more than 1 million downloads by customers including Microsoft, Adobe and Xerox. The toolkit has already been downloaded more than 31,000 times on Sourceforge this year alone. “Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines,” the researchers noted.
In total, Senrio suggests, tens of millions of products are likely to be affected by Devil’s Ivy.
The researchers recommend taking the following steps to ensure IoT device security:
- Keep physical security devices off of the public Internet. Devices like security cameras should be connected to a private network, which will make exploitation much more difficult.
- Defend IoT devices as much as possible. If you can place a firewall or other defensive mechanism in front of an IoT device, or utilize Network Address Translation (NAT), you can reduce their exposure.
- Patch. When a manufacturer releases a patch, update your devices as soon as possible. If this is not within your control, place other layers of security between your vulnerable device and the Internet.
Prioritizing Device Security
The researchers said Devil’s Ivy highlights the growing concern with IoT security. “We forget or don’t realize that many of the devices we use every day are computers — from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of every day,” they wrote.
And Plixer CEO Michael Patterson told eSecurity Planet by email that every operating system has zero-day exploits waiting to be discovered. “This means compromises are inevitable,” he said. “Organizations should be baselining the behaviors of IoT devices with network traffic analytics systems. Communications patterns that emerge out of what is expected from IoT devices is often a telltale sign of an infection.”
Still, a recent Canonical survey of more than 360 IoT professionals found that their most immediate challenge in adopting IoT isn’t device security — it’s quantifying ROI and providing a clear use case.
Other key challenges include lack of budget/investment in IoT (34 percent), lack of IoT infrastructure (40 percent) — and device security and privacy, at 45 percent.
To encourage greater IoT adoption, 34 percent of respondents believe quantifying the business benefits of the Internet of Things should be their number one priority.