Millions of IoT devices at hacking risk due to flaw in open source software library
Once again questions are being asked about IOT security after it was revealed that a buggy software library is being used in millions of devices connected to the internet around the world.
Researchers, who dubbed the buffer overflow vulnerability “Devil’s Ivy”, explained that one way in which the software flaw could be exploited against IP cameras would be by remotely accessing the video feed or denying the genuine owner access to a video feed.
In short, in scenes that are easy to imagine occurring in a Hollywood heist movie, criminals could either collect sensitive information by viewing the hacked camera feed or prevent an actual crime from being observed.
The flaw itself is in gSOAP, an open source toolkit that has been downloaded over a million times by developers who want to plug a quick-and-easy code library into their product to provide it with the ability to communicate over the internet.
There’s nothing necessarily wrong with the concept of so many different devices relying upon the same third-party code if the code has been written securely. Sadly, in the case of gSOAP it appears it wasn’t.
And that means there are now big implications. Genivia, the company behind gSOAP, has released a patch for its code – but that doesn’t mean that the myriad of IoT devices that have buggy versions of gSOAP embedded inside them are patched.
The problem is that the supply chain is broken.
Just consider the lifecycle of this problem.
– IoT device manufacturer needs their product to contain some IoT code. Rather than write all of it themselves, they download the third-party gSOAP library.
– IoT device manufacturer sells devices around the world, including the gSOAP code.
– Hundreds of other manufacturers do the same. Soon millions of devices are reliant on the gSOAP code.
– Security researchers find weakness in gSOAP code that could potentially be exploited by malicious hackers.
– zSOAP is patched to fix the vulnerabilities.
In an ideal world, every manufacturer will act upon the announcement of the vulnerability and incorporate the fixed code into the future versions of their product and remotely patch the products they have already sold.
However, the world of IoT is far from ideal. Manufacturers may have gone bust, or may have little interest in spending money, time and resources building fixes for products that they have already sold, and may no longer have a vested interest in supporting. Some IoT products may not even have any infrastructure for receiving updates (it’s appalling to hear, but it’s true).
And you? Well you, poor consumer probably don’t even know if your IoT product contains gSOAP or not. So even if you are keen to run a tight ship security-wise when it comes to your IoT devices, you may simply be oblivious that the devices you rely upon are at risk of exploitation.
I believe that sometimes developers rely too heavily on third-party code without necessarily exploring whether including it in their product might be introducing new insecurities. The idea behind open source code is a fine one – plenty of eyes can examine the code to determine if there are vulnerabilities, but that only works if someone is bothering to look.
And as for businesses and home users? Always take great care about what devices you allow to be exposed to the public internet. If possible, place IoT devices behind a firewall to make it harder for hackers to exploit them remotely. And always consider whether the vendor you are buying IoT products from has a history of taking security seriously, and responding quickly and appropriately when serious problems like this are discovered.Devil's Ivy IoT overflow vulnerability