Posted on July 19, 2017 at 11:37 AM
Thousands of Internet of Things devices worldwide could be under potential hack attack because of a flaw found in a software which many major manufacturers use.
The cause of this potential problem is a bug found by security researchers in an open source software library which makes it possible for hackers to remotely access the video feed of a camera, install a backdoor in the device or block the owner of the camera from accessing it. According to researchers, this bug could work on any other IoT device, too, which would mean that hackers could easily gain all the control over the products in question.
Stephen Ridley, the founder of security startup Senrio, told Motherboard that his crew has such a complete control of the camera that it would seem like it’s their own computer.
The bug has been named Devil’s Ivy by their finders, researchers who are led by M. Carlton. Researchers were inspecting a camera made by Axis, a multinational which base is in Sweden and which offers more than 200 different products to millions of customers worldwide, as told on their website. The company confirmed that the bug indeed exists and stated that it’s been classified as a critical vulnerability because it affects almost all of their products.
The open source library in which the researchers found the bug is a library under the name of gSOAP, made by Genivia company. Some members of ONVIF, an electronics industry consortium that includes Axis, use this software as well as other major companies like Canon, Siemens, and many others.
Ridley claims that all of these other manufacturers have products as vulnerable as Axis. Practically every IoT device is this vulnerable, any device you can think of, Ridley added.
A statement has been sent by email from an ONVIF representative, saying that the consortium has told its members of the anomaly and that it is now each member’s decision how they are going to handle the situation. In addition, the statement said that gSOAP is not mandated by the ONVIF terms, but since SOAP is the base of ONVIF API, this makes it possible for ONVIF members to be affected.
This vulnerability could affect hundreds of thousands of devices, estimated HD Moore, a security researcher working for security firm Atredis Partners. When the word Axis is typed in an engine that finds vulnerable devices on the internet called Shodan, 14,000 results come out.
What seems like a spec of hope in this situation is that most of the Axis cameras should be behind a firewall which would make it harder for hackers to break into the system. Some of the devices that use gSOAP offer a setting that limits the uploaded data. Van Engelen and Moore agree that this should prevent the misuse of the devices.
Customers have been alerted on July 6th by Axis which also made a patch to go along. But since Axis works with distributors who then work with individual sellers, it is difficult to reach every user.
Hopefully, the damage made by this flaw will be limited, but it is just another situation in the string of similar events in the last couple of years, where hackers abused the vulnerability of the various devices made by IoT. The market should definitely work on its security if it wants to attract more companies willing to take a risk and invest.