‘Devil’s Ivy’ Vulnerability Could Afflict Millions of Internet-Connected Cameras and Card Readers

The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products. That means a single bug can impact a startling number of disparate devices. Or, as one security company’s researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk.

The Hack

On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it’s calling “Devil’s Ivy,” a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. In all, the small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products. And while Genivia has already released a patch for the problem, it’s so widespread—and patching so spotty in the internet of things—that it could persist unfixed in a large swath of devices.

“We made this discovery in a single camera, but the code is used in a wide range of physical security products,” says Senrio chief operations officer Michael Tanji. “Anyone who uses one of the devices is going to be affected in one way or another.”

While internet of things devices might be the most vulnerable to the Devil’s Ivy flaw, Tanji points out that companies including IBM and Microsoft are exposed as well, though Senrio hadn’t yet identified any of those companies’ specific at-risk applications. “The scope and scale of this thing is arguably as big as anything we’ve been concerned about with computer security in recent history,” Tanji says.

Continue reading…