Devil’s Ivy Vulnerability Could Affect Millions of IoT Devices

The Internet of Things is well-known for its security vulnerability. A case in point is last fall’s massive IoT-fueled DDoS attack that took out a sizeable portion of the Internet.  Now a new threat has been discovered and the security experts who found it said this could be the biggest security nightmare yet.

Dubbed “Devil’s Ivy,” it’s a stack buffer overflow vulnerability found by security firm Senrio in an Axis Communications security camera. These cameras are common as Axis is one of the world’s largest manufacturers of security web cameras. In fact, the researchers found one of the vulnerable models passing through LAX last week.

Devil’s Ivy in the Details

Devil’s Ivy results in remote code execution and was found in an open source third-part code library called gSOAP  (Simple Object Access Protocol). It allows an attacker to remote access a video feed or deny the owner access to it. Senrio points out that many of these cameras are meant to secure areas such bank lobbies, so an infected camera could hypothetically prevent a crime from being recorded.

[ Related: Unsecured IoT Devices Could Lead to ‘Catastrophic’ Cybersecurity Attack ]

“We made this discovery in a single camera, but the code is used in a wide range of physical security products,” says Senrio chief operations officer Michael Tanji. “Anyone who uses one of the devices is going to be affected in one way or another. “The scope and scale of this thing is arguably as big as anything we’ve been concerned about with computer security in recent history.”

The firm informed Axis, which confirmed Devil’s Ivy was present in 249 of its 252 camera models and immediately came up with a fix. Once Senrio confirmed the fix was successful, Axis immediately began releasing patched firmware and urging customers to upgrade ASAP.

[ Related: Manufacturers May Be Overlooking IoT Security ]

The potential impact of this exploit goes much further than Axis, though. It lies deep in the communication layer of gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the Internet, Senrio said in a blog post.

How widespread could Devil’s Ivy be?

Any software or device manufacturer that relies on gSOAP to support its services is affected by Devil’s Ivy, though it’s impossible to say to what extent yet. Genivia, the company that manages gSOAP, claims it’s had over 1 million downloads by customers such as IBM, Adobe, Microsoft ad Xerox. That’s just a hint at how widespread Devil’s Ivy could be. It’s likely that tens of millions of IoT devices could be affected.

Genivia has released a patch, but Senrio recommends that physical security devices be kept off the public Internet and that all devices be patched and updated regularly.