3 min read

Millions of IoT devices at hacking risk due to flaw in open source software library

Graham CLULEY

July 19, 2017

Millions of IoT devices at hacking risk due to flaw in open source software library

Once again questions are being asked about IOT security after it was revealed that a buggy software library is being used in millions of devices connected to the internet around the world.

Researchers, who dubbed the buffer overflow vulnerability “Devil’s Ivy”, explained that one way in which the software flaw could be exploited against IP cameras would be by remotely accessing the video feed or denying the genuine owner access to a video feed.

In short, in scenes that are easy to imagine occurring in a Hollywood heist movie, criminals could either collect sensitive information by viewing the hacked camera feed or prevent an actual crime from being observed.

The flaw itself is in gSOAP, an open source toolkit that has been downloaded over a million times by developers who want to plug a quick-and-easy code library into their product to provide it with the ability to communicate over the internet.

There’s nothing necessarily wrong with the concept of so many different devices relying upon the same third-party code if the code has been written securely. Sadly, in the case of gSOAP it appears it wasn’t.

And that means there are now big implications. Genivia, the company behind gSOAP, has released a patch for its code – but that doesn’t mean that the myriad of IoT devices that have buggy versions of gSOAP embedded inside them are patched.

The problem is that the supply chain is broken.

Just consider the lifecycle of this problem.

– IoT device manufacturer needs their product to contain some IoT code. Rather than write all of it themselves, they download the third-party gSOAP library.

– IoT device manufacturer sells devices around the world, including the gSOAP code.

– Hundreds of other manufacturers do the same. Soon millions of devices are reliant on the gSOAP code.

– Security researchers find weakness in gSOAP code that could potentially be exploited by malicious hackers.

– zSOAP is patched to fix the vulnerabilities.

– Err…

In an ideal world, every manufacturer will act upon the announcement of the vulnerability and incorporate the fixed code into the future versions of their product and remotely patch the products they have already sold.

However, the world of IoT is far from ideal. Manufacturers may have gone bust, or may have little interest in spending money, time and resources building fixes for products that they have already sold, and may no longer have a vested interest in supporting. Some IoT products may not even have any infrastructure for receiving updates (it’s appalling to hear, but it’s true).

And you? Well you, poor consumer probably don’t even know if your IoT product contains gSOAP or not. So even if you are keen to run a tight ship security-wise when it comes to your IoT devices, you may simply be oblivious that the devices you rely upon are at risk of exploitation.

I believe that sometimes developers rely too heavily on third-party code without necessarily exploring whether including it in their product might be introducing new insecurities. The idea behind open source code is a fine one – plenty of eyes can examine the code to determine if there are vulnerabilities, but that only works if someone is bothering to look.

And as for businesses and home users? Always take great care about what devices you allow to be exposed to the public internet. If possible, place IoT devices behind a firewall to make it harder for hackers to exploit them remotely. And always consider whether the vendor you are buying IoT products from has a history of taking security seriously, and responding quickly and appropriately when serious problems like this are discovered.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Researcher Publishes Proof-of-Concept Code and Details for Three Zero-Day iOS 15 Vulnerabilities Researcher Publishes Proof-of-Concept Code and Details for Three Zero-Day iOS 15 Vulnerabilities
Silviu STAHIE

September 24, 2021

1 min read
Microsoft Finds Large Phishing-as-a-Service Operation Selling Over 100 Kits Microsoft Finds Large Phishing-as-a-Service Operation Selling Over 100 Kits
Silviu STAHIE

September 24, 2021

1 min read
US Targets Major Crypto Exchange with Sanctions US Targets Major Crypto Exchange with Sanctions
Silviu STAHIE

September 24, 2021

1 min read