IoT Security Company Senrio: New Devil's Ivy Vulnerability Puts Millions Of Devices At Risk
Internet of Things security company Senrio said Tuesday it has found a vulnerability, called Devil's Ivy, in the communication layer of connected devices.
A Senrio blog post said that the vulnerability, which initially was found in the Simple Object Access Protocol in Axis Communications security cameras, already has spread to thousands of devices – and can potentially reach millions more.
"Devil’s Ivy results in remote code execution and was found in an open-source third-party code library from gSOAP," said Senrio in a post. "When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded."
[Related: 15 Cool IoT Security Startups That Are Keeping Connected Devices Safe]
Axis Communications has released patched firmware for the gSOAP vulnerability – but the company that manages gSOAP, Genivia, said that at least 34 other companies use the code in their IoT devices – meaning that other devices are at risk, said Senrio.
"Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time," said Senrio. "Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server."
Senrio suggested that companies keep physical security devices off the public internet, stay up to date with patching through updating their devices as soon as possible, and defend their IoT devices with firewalls or by using Network Address Translation.
Security vulnerabilities in IoT devices were underscored in October when a DDoS attack – which was launched through IoT devices including webcams, routers and video recorders – overwhelmed servers at Dynamic Network Services, taking down up to 1,200 websites.
"Devil’s Ivy highlights the industry’s growing concern with the security of IoT. We forget or don’t realize that many of the devices we use every day are computers— from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of every day," said the Senrio blog post.
Solution providers, for their part, have kept a critical eye on the security vulnerabilities behind IoT that could put their customers at risk. In a 2016 CRN survey of 240 solution providers, 72 percent of respondents said they were leaning toward being "extremely concerned" about security as it relates to IoT.
"Devil’s Ivy is a great example of an vulnerability that could be used by a hacker to gain control of an IoT device, then use that as a jumping-off point for other hacking activities," said David Johnson, vice president of sales and marketing for The Fulcrum Group, a Keller, Texas-based solution provider.