Hackers could hijack thousands of Internet of Things devices around the world, such as security cameras, due to a flaw in a piece of software used by several major manufacturers.
Security researchers found a bug in an open source software library that, when tested on an Internet of Things camera, allows hackers to remotely access the video feed of a camera, install a backdoor in the device, or block the camera's owner from accessing it. Researchers say it would work on other IoT devices as well—in other words, hackers would have total control over the vulnerable products, they said.
"We basically have complete control of the camera as if it was our own computer," said Stephen Ridley, founder of security startup Senrio in a phone call with Motherboard.
Ridley and his colleagues, led by a researcher who goes by M. Carlton, found the bug—which they're calling Devil's Ivy—while probing a camera manufactured by Axis, a Sweden based multinational that sells more than 200 different products to millions of customers around the world, according to its website. Axis confirmed the existence of the bug and told Motherboard that it classified it as a "critical vulnerability" that affected almost all its products.
"They were all affected, basically," Fred Juhlin, Axis's global senior consultant, told Motherboard in a phone call, adding that the company sells "millions" of devices.
The researchers discovered the flaw in an open source software library called gSOAP, made by a company called Genivia. The software is used by some members of ONVIF, an electronics industry consortium that includes Axis, as well as other giants such as Canon, Siemens, Cisco, Hitachi, and many others.
"I bet you all these other manufacturers have the same vulnerability throughout their product lines as well," Ridley told Motherboard. "It's a vulnerability in virtually every IoT device [...] "Every kind of device you can possibly think of."
"It's a vulnerability in virtually every IoT device [...] "Every kind of device you can possibly think of."
An ONVIF spokesperson said in a statement sent via email that the consortium has notified its members of the flaw, but it's now "up to each member to handle this in the way they best see fit. Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected," according to the statement.
HD Moore, a well known security researcher who works for security firm Atredis Partners, estimates that the vulnerability might affect "hundreds of thousands of devices," as he told Motherboard in a direct message on Twitter." A simple search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results.
Robert van Engelen, the CEO of Genivia, said in in an email that the company knows of 34 manufacturers who use their software. The good news is that, in theory, most Axis cameras should sit behind a firewall, making it harder for hackers to reach and exploit them. But it's likely that other devices made by other companies also contain the bug and could be exposed on the internet.
Still, according to van Engelen, some of the devices using gSOAP should have a setting that limits the amount of data that can be uploaded to them—a defense against distributed denial of service attacks. This setting should prevent the exploitation of the devices, something that Moore confirmed as well.
Axis issued a patch and alerted its customers through a newsletter on July 6. The problem, however, is that Axis sells to distributors who then sell the devices to the end customers, so it's now up to the customers to install the patch—if they even know about the bug.
"It's very hard to reach to everyone," Juhlin admitted.
And remember, while the researchers discovered the flaw in an Axis camera, the bug could be in countless other devices, made by different companies.
"Without security for all the little computerized devices that we rely on, we are standing on a house of cards."
That's one of the biggest issues with the Internet of Things (IoT). Bugs exist in all kinds of software and hardware. Manufacturers have become pretty good at pushing patches to computer and cellphone users, but many IoT devices never get patches.
"IoT devices don't have standard update procedures," Ridley said. "When these devices get deployed they stay vulnerable, they don't get fixed."
While the actual damage created by this flaw will hopefully be limited, this is yet another cautionary for the future of IoT. In the last couple of years, malicious hackers and security researchers have abused and exposed countless of vulnerable devices, showing that the companies who are taking a plunge into the IoT market might not be ready or willing to secure their own products.
"The prevalence of this vulnerability reminds us that without security for all the little computerized devices that we rely on," Moore said, "We are standing on a house of cards."
Correction: this story has been updated to clarify that the gSOAP software is not pushed and promoted by ONVIF, but it's offered as an option that members of the consortium can implement.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.