Open Source Flaw ‘Devil’s Ivy’ Puts Millions of IoT Devices at Risk

Millions of IoT devices are vulnerable to cybersecurity attacks due to a vulnerability initially discovered in remote security cameras, Senrio reported this week.

The firm found the flaw in a security camera developed by Axis Communications, one of the world’s biggest manufacturers of the devices.

The Model 3004 security camera is used for security at the Los Angeles International Airport and other places, according to Senrio.

The problem turned out to be a stack buffer overflow vulnerability, which the firm dubbed “Devil’s Ivy.”

Axis notified the security firm that 249 different models of the camera were affected by the vulnerability. It found only three models that were unaffected.

Buried Deep

The problem lies deep in the communication layer of gSOAP, an open source third-party toolkit that is used by all kinds of device makers for IoT technology, according to Senrio.

gSOAP manager Genivia reported that the toolkit has been downloaded more than 1 million times, according to Senrio. Most of the downloads likely involved developers. Major companies including IBM, Microsoft, Adobe and Xerox are customers of the firm.

Genivia issued a new patch for gSOAP within 24 hours of being alerted to the vulnerability, and said it notified customers of the problem, according to CEO Robert van Engelen.

The obscure flaw was caused by an intended integer underflow, followed by a second unintended integer underflow that triggered the bug, he told LinuxInsider.

“The trigger happens when at least 2 GB of XML data is uploaded to a Web server,” van Engelen explained. “This bug was not discovered by proprietary static analysis tools or by our source code users who looked at the source code since 2002.

Certain ONVIF devices act as Web servers, making them vulnerable when configured to accept more than 2 GB of XML data, he noted.

Wide-Ranging Problem

Many large manufacturers are using the same source, the ONVIF forum, for their networking protocol libraries, noted Ryan Spanier, director of research at Kudelski Security.

Because it is a shared library, the vulnerability exists in a large number of devices, he told LinuxInsider.

“Companies regularly integrate hardware and software into their devices that they did not write themselves,” Spanier said. “In some ways, this is similar to the Mirai botnet, but in that case they targeted an insecure backdoor present in a chip used by multiple camera manufacturers.”

The Mirai botnet, which struck last year, was one of the biggest incidents ever recorded, targeting the KrebsOnSecurity blog with a massive DDoS attack that measured 620 gigabytes per second.

An incident like Devil’s Ivy was inevitable, observed Bryan Singer, director of industrial cybersecurity services at IOActive.

“In the veritable push to technology, it is all too common that the drive towards first-to-market functionality will badly outpace solid, secure design,” he told LinuxInsider. “Unfortunately, this head-smack moment is all too common.”

Vendors need to audit components appropriately for security purposes, Dustin Childs, communications manager for Trend Micro’s zero day initiative, told LinuxInsider, as “misunderstood or poorly implemented open source software allows attackers a path to bypass security mechanisms.”

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by David Jones
More in Developers

LinuxInsider Channels