Security researchers have uncovered a flaw in an open source third-party toolkit called gSOAP (Simple Object Access Protocol) that’s widely used to help connect IoT devices to the Internet.
Researchers at Senrio first discovered the flaw in an Axis Communications security camera. When exploited, the flaw – dubbed Devil’s Ivy after the plant which is nearly impossible to kill and spreads quickly – allows an attacker to remotely access a video feed or even block access to a feed (the latter of which could be incredibly helpful if you’re trying to rob a bank, for example).
Axis found the flaw in 249 of its camera models and has released a patch to fix it but the scope of the issue extends far beyond Axis’ product lines.
Because the flaw lies within the gSOAP toolkit, other devices that utilize gSOAP are also affected by Devil’s Ivy. Genivia, the company that manages gSOAP, tells Senrio that the toolkit has been download more than a million times. Its customers include big names like Adobe, Xeros, IBM and Microsoft, just to name a few.
H.D. Moore, a well-known IoT researcher for consulting firm Atredis Partners, tells Wired that the vulnerability highlights how supply chain code is shared across the Internet of Things. With IoT, Moore notes, code reuse is vulnerability reuse.
That said, Moore doesn’t seem to think the issue is a red-alert level threat due to the fact that an attack requires sending two gigabytes of data to a target. What’s more, an attack would have to be configured separately for each vulnerable device.
Senrio estimates that tens of millions of products – both connected devices and software – are affected by Devil’s Ivy to some degree.