Millions of IoT devices at hacking risk due to flaw in open source software library

Once again questions are being asked about IOT security after it was revealed that a buggy software library is being used in millions of devices connected to the internet around the world.

Researchers, who dubbed the buffer overflow vulnerability “Devil’s Ivy”, explained that one way in which the software flaw could be exploited against IP cameras would be by remotely accessing the video feed or denying the genuine owner access to a video feed.

In short, in scenes that are easy to imagine occurring in a Hollywood heist movie, criminals could either collect sensitive information by viewing the hacked camera feed or prevent an actual crime from being observed.

The flaw itself is in gSOAP, an open source toolkit that has been downloaded over a million times by developers who want to plug a quick-and-easy code library into their product to provide it with the ability to communicate over the internet.

There’s nothing necessarily wrong with the concept of so many different devices relying upon the same third-party code if the code has been written securely. Sadly, in the case of gSOAP it appears it wasn’t.

And that means there are now big implications. Genivia, the company behind gSOAP, has released a patch for its code – but that doesn’t mean that the myriad of IoT devices that have buggy versions of gSOAP embedded inside them are patched.

The problem is that the supply chain is broken.

Just consider the lifecycle of this problem.

– IoT device manufacturer needs their product to contain some IoT code. Rather than write all of it themselves, they download the third-party gSOAP library.

– IoT device manufacturer sells devices around the world, including the gSOAP code.

– Hundreds of other manufacturers do the same. Soon millions of devices are reliant on the gSOAP code.

– Security researchers find weakness in gSOAP code that could potentially be exploited by malicious hackers.

– zSOAP is patched to fix the vulnerabilities.

– Err…

In an ideal world, every manufacturer will act upon the announcement of the vulnerability and incorporate the fixed code into the future versions of their product and remotely patch the products they have already sold.

However, the world of IoT is far from ideal. Manufacturers may have gone bust, or may have little interest in spending money, time and resources building fixes for products that they have already sold, and may no longer have a vested interest in supporting. Some IoT products may not even have any infrastructure for receiving updates (it’s appalling to hear, but it’s true).

And you? Well you, poor consumer probably don’t even know if your IoT product contains gSOAP or not. So even if you are keen to run a tight ship security-wise when it comes to your IoT devices, you may simply be oblivious that the devices you rely upon are at risk of exploitation.

I believe that sometimes developers rely too heavily on third-party code without necessarily exploring whether including it in their product might be introducing new insecurities. The idea behind open source code is a fine one – plenty of eyes can examine the code to determine if there are vulnerabilities, but that only works if someone is bothering to look.

And as for businesses and home users? Always take great care about what devices you allow to be exposed to the public internet. If possible, place IoT devices behind a firewall to make it harder for hackers to exploit them remotely. And always consider whether the vendor you are buying IoT products from has a history of taking security seriously, and responding quickly and appropriately when serious problems like this are discovered.

6 comments

  • By Steve Rogerson - Reply

    I’ve thought for a long time that all code in devices should be put in escrow and put in to the public domain if and when the device is no longer maintained. I can see that there would be some squeals from the industry 🙂

  • By Adrian Thornton - Reply

    Let’s be honest, how many end users of these products are actually going to even be aware of this problem?

    There’s been plenty of talk on Cyber Security websites abut this issue but nothing in the ‘main stream’ media.

    Manufacturers and developers need to be held to account.

  • By WPFreeman - Reply

    Holding manufacturers and developers to account is a laudable goal, but it is unrealistic in the real world. Think of the layers of manufacturing, contracting, subcontracting, branding, rebranding, features and options in different versions based on pricing… it quickly will become impenetrable from a tracking and enforcement point of view, even if the resources were magically made available to do it. The best approach to tackling this? … I don’t have a good idea, sadly.

  • By Mathieu - Reply

    We’re in 2016, people should just stop using XML as exchange format ! They’re shooting themselves in the foot…

    • By Mathieu - Reply

      errrr… 2017 😀

  • By Leon - Reply

    This sort of thing is rampant in the tech industry due to just getting things out the door to get paid. Look at Android and the time between a vulnerability being discovered and the time it takes for a fix to be released if it even happens at all. Windows is the same way. But even routers and modems can have security issues due to lack of firmware updates and reliance on outdated software at release time because the chipset drivers only work with a specific kernel version. This was a major issue with Broadcom chips being stuck with kernel 2.4 due to issues with wifi and USB. Android has the same issue, but worse, since manufacturers have made it nearly impossible for end users to update their own devices with anything but official firmware releases, but more often than not, fail to release those official releases. But even USB devices can be a security vulnerability.

  • Add Comment to Mathieu Cancel Reply

    Your email address will not be published. Required fields are marked *