Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them.
The vulnerability, dubbed Devil’s Ivy, was identified by researchers at Senrio, who singled out high-end security cameras manufactured by Axis Communications. Senrio said 249 models of 251 Axis cameras are vulnerable to unauthenticated remote attackers who can intercept a video feed, reboot cameras, or pause a video feed while conducting a crime.
Researchers said Axis Communications isn’t alone, reporting 34 companies use the same underlying flawed software; including Microsoft, IBM, Xerox and Adobe. Those companies are part of the ONVIF Forum, an unofficial international consortium of hardware vendors.
Researchers believe bad code used in a software library responsible for the bug originated from the ONVIF Forum, which is responsible for maintaining software and networking protocols used by members. “While forums like ONVIF serve a useful purpose when it comes to issues of cost, efficiency, and interoperability, it is important to remember that code reuse is vulnerability reuse,” researchers said.
The vulnerability is in the communication layer of a software library used in those devices called gSOAP, which is a widely used web services development tool for XML enabling devices to talk to the internet, researchers wrote on a technical blog explaining the vulnerability on Tuesday. Approximately six percent of the forum members use gSOAP, Senrio said.
The vulnerability allows a remote adversary to flood the targeted device over port 80 with data and create a simple buffer overflow attack. Next, researchers say, the adversary can send a specially crafted payload of data that allows a remote unauthenticated user to execute code on vulnerable devices.
“In the case of this camera, in order to exploit the vulnerability you would need to send a malicious payload to port 80. The camera then processes the data using the vulnerable library. The attacker then sends the specially crafted payload that triggers the buffer stack overflow which leads to custom code execution,” said M. Carlton, VP of research with Senrio, in an interview with Threatpost.
Once the attacker executes code on the device, they have the ability to reset the firmware back to device’s factory defaults. From there, they can change the passwords or network settings, Carlton said. The attack works on vulnerable devices, despite the use of complex passwords.
Michael Tanji, COO and cofounder of Senrio, told Threatpost that the attack generally should sound alarm bells because of the large volume of traffic sent to cameras and IoT devices when attacks take place.
“In the security cameras that we looked at, this library this is a big problem. With some other security devices and other general applications of gSOAP it may not be as big of a problem,” Tanji said. “We just don’t know, because we haven’t done the extensive research.”
Tanji said that it privately disclosed the vulnerability in May and waited until Axis and Genivia deployed a patch before publicly disclosing the flaw on Tuesday. A scan of the internet using Shodan had revealed 14,700 of Axis’s cameras vulnerable to Devil’s Ivy. Senrio recommends patching, but also keeping security devices off the public internet and behind a firewall.
“Devil’s Ivy highlights the industry’s growing concern with the security of IoT. We forget or don’t realize that many of the devices we use everyday are computers— from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of everyday,” researchers said.
Repositories hosted with ONVIF Forum and at places such as GitHub, Bitbucket and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. However, security experts have long warned the amount of insecure software tied to reused third-party libraries is staggering. In an analysis of 25,000 applications, researchers at Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.