Millions of ioT Devices Affected, Senrio Reports Devil’s Ivy

It is being reported that millions of IoT devices face the risk of being compromised given a flaw that was discovered the first time in remote security cameras by Senrio. The Internet of Things or IoT defines a system which consists of many interrelated computing devices, objects, mechanical as well as digital machines, animals and/or people which are then given unique identifiers along with the ability to transfer data over a shared network.

This kind of transfer or transmission of data happens without any human-to-human or human-to-computer interaction. In a security camera, which Axis Communications (one of the biggest manufacturers of security devices all over the world) has developed was discovered to have a flaw within. The camera which is Model 3004 is in fact currently being used at Los Angeles International Airport along with other places. The flaw is in fact a stack buffer overflow issue, which the firm has called Devil’s Ivy. Axis has informed the firm about the 249 models of the camera that are actually bearing the impact of this flaw. It has been found that three models were the only ones that remained safe.

The issue, which has been unearthed, is rooted very deep inside the communication layer provided by gSOAP, which is an open source third party toolkit. Almost all manufacturers of security devices are using this nowadays as reported by Senrio. On the other hand, Senrio has reported that gSOAP Manager Genivia has notified about toolkit having been downloaded for more than a million times.

And as we can expect, most of these downloads were done by developers which includes even major corporations like Microsoft, Adobe, IBM and Xerox. As is the standard, a security patch was issued for gSOAP within the 24 hours of being informed about the flaw by Genivia. It also alerted many customers around the world about the problem they were facing.

Genivia CEO Robert van Engelen has informed that the flaw was due to an intended integer underflow, which was followed by a second integer underflow which was unintended. It is what caused the problem. He further explained that if a minimum of 2GB XML data gets uploaded to a server, the trigger happens.

He also stated how the bug was neither discovered by standard static analysis systems or Genivia’s own source code users (who interestingly have been looking at the code since 2002). According to Engelen, a group of ONVIF devices sometimes act as Web Servers, which made them susceptible to the flaw in this case when they set to accept more than the standard limit (2GB or more) of XML data.

Give security and privacy to your devices online with a powerful VPN. Click Here to get full protection online:

Another expert, Ryan Spanier, who is the Director of Research at Kudelski Security said that many of the big manufacturers were in fact using ONVIF forum as their source to construct networking protocol libraries, which are in fact shared. That leads to susceptibility and vulnerability in a huge group of systems and devices. He went on explaining that many corporations end up adding hardware as well as software systems in the devices which they had not written themselves to begin with.

He compared this incident to Mirai botnet, the difference being here the target was an unsafe backdoor in a chip that was being used by hoards of manufacturers.Last year saw the incident of Mirai Bonet which actually became one of the largest incidents that got recorded. A blog by the name of KrebsOnSecurity faced a huge DDoS attack which in fact contained 620GB every second.

Bryan Singer, Director of Industrial Cybersecurity Services, IOActive stated that incidents like Devil’s Ivy were at the end of the day inevitable. He added that corporations world over are competing to push technology more and more further something which demands first to market functionality, in this race it is but common that the approach to provide safe, secure, solid designs would be taken over. Dustin Childs, who is the Communications Manager for zero day initiative by Trend Micro made clear that appropriate audits of different components being used by manufacturers was a must, as poorly constructed open source software would let attackers bypass the security mechanisms. Let us know in comments below what your thoughts on IoT and Cyber Security are.