The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products. That means a single bug can impact a startling number of disparate devices. Or, as one security company's researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk.
On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it's calling "Devil's Ivy," a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. In all, the small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products. And while Genivia has already released a patch for the problem, it's so widespread---and patching so spotty in the internet of things---that it could persist unfixed in a large swath of devices.
"We made this discovery in a single camera, but the code is used in a wide range of physical security products," says Senrio chief operations officer Michael Tanji. "Anyone who uses one of the devices is going to be affected in one way or another."
While internet of things devices might be the most vulnerable to the Devil's Ivy flaw, Tanji points out that companies including IBM and Microsoft are exposed as well, though Senrio hadn't yet identified any of those companies' specific at-risk applications. "The scope and scale of this thing is arguably as big as anything we’ve been concerned about with computer security in recent history," Tanji says.
Not every security researcher shares quite that code-red sense of urgency. H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio's findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a "silly" amount of bandwidth. But he nonetheless sees it as a significant and widespread bug---and an illustration of the danger of reusing code from a small company across tens of millions of gadgets. "This vulnerability highlights how supply chain code is shared across the Internet of Things," he writes. "With IoT, code reuse is vulnerability reuse."
Senrio's research began last month, when its researchers found a vulnerability known as a buffer overflow in the firmware of a single security camera from Swedish security camera maker Axis Communications. They say the bug would allow a hacker who can send a two-gig payload of malicious data to run any code they chose on that camera, potentially disabling it, installing malware on it or even intercepting or spoofing its video stream. And the attack, they soon discovered, worked for not just that one camera model, but any of the 249 Axis offers.
Axis quickly released a patch for the vulnerability. But the company also told Senrio that the bug wasn't in Axis's code, but rather in a code library distributed by Genivia as part of its popular gSOAP developer platform. And that gSOAP code is used---among other things---to implement a protocol called ONVIF, or Open Network Video Interface Forum, a networking language for security cameras and other physical security devices used by the ONVIF consortium, whose nearly 500 members include companies like Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Netgear, Panasonic, Sharp, Siemens, Sony, and Toshiba.
Just which of those hundreds of member companies use gSOAP---and might have left their products vulnerable as a result---isn't clear. In a phone call with WIRED, Genivia founder and gSOAP creator Robert van Engelen said 34 ONVIF companies used gSOAP as paying customers, but declined to say which ones. (He also argued that practically speaking, only devices that are configured as servers, like cameras and sensors, would be vulnerable, not those that use gSOAP as clients, like phones and PCs, given those clients don't have open connections ready to be exploited over the internet. Senrio disputes that claim, arguing that malicious servers could use the vulnerability to exploit client computers, too.) Van Engelen also noted that his software is open-source, so other companies may use it without his knowledge. WIRED reached out last Friday to the 15 major companies on ONVIF's member list named above to ask if they'd released specific patches for their gadgets. Almost all didn't respond or declined to comment, but a Bosch spokesperson said its products are not affected by the vulnerability. A Cisco spokesperson said the company is "aware of the matter and is monitoring" but declined to say---or perhaps didn't yet know---whether its products are vulnerable. "In the event we learn that Cisco products are affected, we will notify customers via our established processes," she wrote in a statement.
Using the internet-scanning tool Shodan, Senrio found 14,700 of Axis's cameras alone that were vulnerable to their attack---at least, before Axis patched it. And given that's one of the dozens of ONVIF companies alone that use the gSOAP code, Senrio's researchers estimate the total number of affected devices in the millions.
The severity of Senrio's Devil's Ivy vulnerability will depend most of all on how widely it's been patched. Genivia's van Engelen says he moved quickly to create a security update as soon as Axis Communications told him about the problem, publishing a patch and alerting customers on June 21. But he describes himself as "a middle man." "I can’t tell for sure if they applied the patch," he says of the 34 ONVIF equipment vendors. "That’s their responsibility."
Whether devices are truly protected will depend on both the companies that use gSOAP making that patch available, and then on whether customers install it. Like most internet of things gadgets, the devices affected by Senrio's bug don't necessarily have automatic updates, or careful administrators maintaining them.
For the inevitable fraction of devices that aren't patched, Devil's Ivy may still not lend itself to a mass IoT meltdown. The majority of vulnerable devices that use the ONVIF protocol hide behind firewalls and other kinds of network segmentation, making them harder to find and exploit, says Jonathan Lewit, chairman of the ONVIF Communications Committee. And the need to send two full gigabytes of malicious data to target devices means a Devil's Ivy attack tool can't exactly be sprayed across the internet, says Moore. Instead, he suggests it could be used in a targeted fashion, one device at a time, or after gaining an initial foothold in a victim's network. Some implementations of gSOAP's code will also automatically limit the amount of data the device can receive in a single message, preventing Senrio's hacking method.
Its importance may rest, Moore says, in its example of how broadly a single bug can permeate these kinds of devices. "IoT affects our lives far more intimately than desktops," he says. "The prevalence of this vulnerability reminds us that without security for all the little computerized devices that we rely on, we're standing on a house of cards." That house's stability depends not just on the company you bought your device from, but every unnamed vendor that wrote the obscure corners of its codebase.
This post has been updated to reflect that Genivia alerted customers to the patch on June 21.
