Millions of IoT devices vulnerable to Devil’s Ivy
Thu 20 Jul 2017
Security researchers have discovered a vulnerability, known as Devil’s Ivy, that allows an attacker to access a video feed remotely or to deny authorized users access to the feed.
Devil’s Ivy, a stack buffer overflow vulnerability, is present in almost all Axis security cameras. The company confirmed that it was found in 249 models, with only 3 older models excepted.
However, since the vulnerable code was found in the open-source gSOAP toolkit, all developers who use code from that library are at risk.
Because gSOAP (Simple Object Access Protocol) is a widely-used web services toolkit, with more than one million downloads from various developers and device manufacturers, millions of IoT devices may be compromised by Devil’s Ivy exploits.
As the Senrio researchers stated, while it is impossible to determine the extent to which IoT devices and services are vulnerable, “It is likely that tens of millions of products – software products and connected devices – are affected by Devil’s Ivy to some degree.”
The team found Devil’s Ivy by using IDA Pro reverse engineering to examine the code controlling the data that is written to stack buffers. The vulnerable code was accessed by sending a POST command to the ONVIF service.
ONVIF is an organization that manages software and networking protocols for physical security products, with thousands of members.
The researchers debugged the camera in question and verified the vulnerability by forcing a system crash at a set value. From that point, rewriting addresses to the stack provided the team with executable space to allow code execution on the device.
“We were able to reset the camera to its factory defaults and take control of the camera, reboot it to prevent an operator from viewing the feed, and change network settings.”
The Devil’s Ivy vulnerability was found in an open-source, third-party library of code intended for reuse by developers, who can take bits of this code and incorporate it into their own work to connect IoT hardware to the internet. Because of this, each download contains the vulnerability, but the actual vulnerable bit may not be used by each developer. However, the code in question may have been reused multiple times on a variety of devices, making the spread of Devil’s Ivy difficult to pinpoint, and making its eventual elimination almost impossible.
Axis, the manufacturer of the IoT devices on which Devil’s Ivy was first discovered, were notified of the issue and created a fix, and have released patches to partners and customers.