'Millions of IoT gizmos' wide open to hijackers after devs drop gSOAP

Security researchers investigating internet-connected video cameras have uncovered a bug that could conceivably leave millions of devices open to easy pwnage.

The team from embedded security specialists Senrio was looking into the code running an M3004-V network camera from Axis Communication. They found a serious hole in the firmware's web interface that would allow an attacker to either shut down the camera or hijack the feed and spy on people.

The vulnerability, dubbed Devil's Ivy aka CVE-2017-9765, can be exploited by overflowing a stack buffer by sending the camera's HTTP port 80 service a specially crafted POST command. From there, it's possible to gain control of the embedded system using some injected shellcode.

Cases such as this are very common in a world infected with Internet of Sh!t devices. Axis found that the same problem affected 249 of its camera models, and has apparently patched its software – if you have one of the vulnerable gizmos, make sure you apply an update from the manufacturer. The underlying flaw wasn't its fault, but rather an issue with a popular open-source code library called gSOAP.

This communications library, managed by Genivia, has had more than a million downloads by programmers, and is used by such big names as Microsoft, IBM, Adobe and Xerox. It allows hardware to be configured and controlled via web connections. The researchers found that the flaw was deep inside the software, and it can be exploited by an attacker to execute code remotely on an affected device.

"We named the vulnerability Devil's Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse," the team said.

"Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate. It is likely that tens of millions of products – software products and connected devices – are affected by Devil's Ivy to some degree."

Genivia has now patched the issue in gSOAP, but that's not the end of the problem. Now developers who have used the library will also need to patch their code, and push fresh firmware out to gadgets and gizmos worldwide, and experience suggests that that's not going to happen any time soon. ®