Security researchers at Senrio have discovered a stack buffer overflow vulnerability (CVE-2017-9765) in the M3004 Axis Communications security camera. Dubbed “Devil’s Ivy,” the vulnerability, identified in an open source third-party code library, results in remote code execution.
“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” the researchers explained in a blog post.
“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”
It should be noted that Axis, which confirmed the presence of Devil’s Ivy in 249 distinct camera models, has released patched firmware, prompting partners and customers to upgrade. As the Senrio researchers emphasize, the impact of Devil’s Ivy goes far beyond one particular Axis security camera, as it lies deep in the communication layer, in an open source third-party toolkit known as gSOAP (Simple Object Access Protocol).
“gSOAP is a widely-used web services toolkit and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time,” the researchers elaborated. “Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server… It is likely that tens of millions of products – software products and connected devices – are affected by Devil’s Ivy to some degree.”
H.D. Moore, an IoT researcher for consulting firm Atredis Partners who reviewed Senrio’s findings, told Wired’s Andy Greenberg Devil’s Ivy highlights how supply chain code is shared across the Internet of Things.
“IoT affects our lives far more intimately than desktops,” he stated. “The prevalence of this vulnerability reminds us that without security for all the little computerized devices that we rely on, we’re standing on a house of cards.”
As we’ve previously discussed on Rambus Press, the clear majority of IoT devices are vulnerable and easily compromised, as many lack even the most basic of security functionalities. This is problematic, because an unsecured IoT ecosystem introduces real-world risks that include malicious actors manipulating the flow of information to and from network connected devices or tampering with devices themselves.
The most effective IoT security solution is one that does not disrupt the OEM’s profitability or time to market. A practical and simple, yet secure solution that can be easily and widely adopted by OEMs and services is more effective than a ‘super solution’ with only limited adoption. Indeed, a solution that provides seamless end-to-end secure connectivity – from device to the cloud, as basic as it is, can really help make a significant difference.