A newly uncovered flaw in an open-source third-party code library in gSOAP, dubbed Devil’s Ivy, is impacting tens of millions of connected devices.
IT firm Senrio found the vulnerability while researching an internet of things (IoT) security camera, but the research shows that a wide range of IoT devices have similar problems.
Like Heartbleed, Devil’s Ivy is an open-source reuse problem. gSOAP (Simple Object Access Protocol) is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Genivia, the company that manages gSOAP, claims to have more than 1 million downloads, with IBM, Microsoft, Adobe and Xerox as customers. Once gSOAP is downloaded and added to a company’s repository, it can be used many times for different product lines.
Also, the ONVIF Forum, an organization responsible for maintaining software and networking protocols that are general purpose enough for a variety of companies to use in a wide range of physical security products, relies on gSOAP to support the ONVIF specifications.
Taken together, “it is likely that tens of millions of products—software products and connected devices—are affected by Devil’s Ivy to some degree,” Senrio researchers said, in a blog. “We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.”
An exploit results in remote code execution—in the camera’s case, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
Axis said that the issue is present in 249 distinct camera models, the exception being three of their older cameras, and it has patched the problem.
“The Internet of Things is ushering in an age of ambient computing. The more pervasive networked embedded devices (IOT) become in our lives, the more important it is to ensure they are resilient against attack. Identifying vulnerabilities in such devices is one way to help make them more secure,” Senrio researchers said. “While forums like ONVIF serve a useful purpose when it comes to issues of cost, efficiency, and interoperability, it is important to remember that code reuse is vulnerability reuse. The significance of this principle in the physical security device industry should be self-evident.”
Axis has informed Genivia of the issue and has reached out to ONVIF to ensure all members of the forum are aware of the problem.