Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

'Millions of IoT gizmos' wide open to hijackers after devs drop gSOAP

Likelihood of patching for every affected system is zero

Security researchers investigating internet-connected video cameras have uncovered a bug that could conceivably leave millions of devices open to easy pwnage.

The team from embedded security specialists Senrio was looking into the code running an M3004-V network camera from Axis Communication. They found a serious hole in the firmware's web interface that would allow an attacker to either shut down the camera or hijack the feed and spy on people.

The vulnerability, dubbed Devil's Ivy aka CVE-2017-9765, can be exploited by overflowing a stack buffer by sending the camera's HTTP port 80 service a specially crafted POST command. From there, it's possible to gain control of the embedded system using some injected shellcode.

Cases such as this are very common in a world infected with Internet of Sh!t devices. Axis found that the same problem affected 249 of its camera models, and has apparently patched its software – if you have one of the vulnerable gizmos, make sure you apply an update from the manufacturer. The underlying flaw wasn't its fault, but rather an issue with a popular open-source code library called gSOAP.

This communications library, managed by Genivia, has had more than a million downloads by programmers, and is used by such big names as Microsoft, IBM, Adobe and Xerox. It allows hardware to be configured and controlled via web connections. The researchers found that the flaw was deep inside the software, and it can be exploited by an attacker to execute code remotely on an affected device.

"We named the vulnerability Devil's Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse," the team said.

"Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate. It is likely that tens of millions of products – software products and connected devices – are affected by Devil's Ivy to some degree."

Genivia has now patched the issue in gSOAP, but that's not the end of the problem. Now developers who have used the library will also need to patch their code, and push fresh firmware out to gadgets and gizmos worldwide, and experience suggests that that's not going to happen any time soon. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like