Endpoint Security , Risk Management , Technology

IoT Security Cameras Have a Major Security Flaw

'Devils Ivy' Could be Used to Intercept, Shut Down Video Feeds
IoT Security Cameras Have a Major Security Flaw
Security researchers traced a "Devil's Ivy" buffer overflow flaw first detected in this Axis Communications security camera to a widely used code library.

An investigation into a single IP security camera has unfolded into yet another worrying finding in the land of the internet of things. A software vulnerability in an obscure but widely used code library can be exploited to remotely hijack a video feed or simply shut IP cameras down.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The finding comes from Senrio, a Portland, Oregon-based cybersecurity company that specializes in IoT. Senrio says the vulnerability, a buffer overflow, could be present in tens of millions of software products or other connected devices.

Senrio investigated a model M3004 security camera made by Sweden-based Axis Communications. That camera, as well as 249 other models in Axis's line of products, use an open-source software library called gSOAP.

gSOAP is a toolkit for implementing XML-based web services into applications. It's widely used by application developers at Fortune 500 companies, including IBM, Microsoft, Adobe and Xerox.

Senrio dubbed the buffer overflow "Devil's Ivy." The flaw has been patched, and Axis has updated its devices, but there are questions as to whether all devices and applications created by dozens of organizations that employ the gSOAP library will be fixed.

Senrio posted a video of the exploit and a detailed technical writeup.

At least as far as IP cameras, "when exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed," according to Senrio's post. "Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded."

Patch Now

Because gSOAP is widely used, the impacts probably go well beyond Axis.

"It is likely that tens of millions of products - software products and connected devices - are affected by Devil's Ivy to some degree," Senrio writes.

Axis is just one of hundreds of members of the ONVIF forum, an industry group that develops standard interfaces for IP-based physical security products. Senrio says that SOAP - short for Simple Object Access Protocol - is used to support the forum's specifications. Six percent of the forum's members use gSOAP, Senrio says.

Software tool developer Genivia issued a patch for the flaw on June 21. Exploiting the flaw is challenging: An attacker would have to supply an XML message that is more than 2 gigabytes to trigger the flaw, a quite voluminous stream of data traffic, according to Genivia's patch alert.

"Fortunately, the overflowing data after 2GB is cleaned up in the buffer, which means that the chances of exploiting this flaw by injecting code is significantly reduced in gSOAP versions affected," Genivia writes.

IoT Defenses

Senrio's findings underscore a persistent concern: that a vulnerability in a code library used in many products by many organizations poses long-term risks, even long after a patch has been issued.

This scenario played out earlier with Heartbleed, the vulnerability in the OpenSSL cryptographic library. Although the issue was quickly patched, unpatched systems are still found (see Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable).

Although it's impossible to predict in what product or code the next flaw will be found, administrators can take steps to at least reduce their IoT exposure if a flaw comes to light.

As with many IoT devices, being reachable from the public internet is often the first problem when it comes to defending against new vulnerabilities. Senrio says that using the Shodan search engine, it found 14,000 cameras made by Axis that are exposed to the internet.

The best advice is to ensure devices such as cameras are on their own private networks or at least behind a firewall.

"If you can place a firewall or other defensive mechanism in front of an IoT device, or utilize Network Address Translation, you can reduce their exposure and improve the likelihood of detecting threats against them," Senrio says.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network