Open source libraries can be a great asset - unless widely adopted and a flaw is found.
Senrio published a stack-buffer overflow vulnerability (CVE-2017-9765), labelled "Devil's Ivy", that allows remote code execution and was found in an open source third party used by many security camera systems. The investigation focused on cameras from Axis Communications who has confirmed with the team the bug was present in 249 of 252 security camera models.
Axis Commununications has since released patched firmware and is prompting partners and customers to perform upgrades. If unpatched; an attacker can remotely access a video feed or deny the owner access that could prevent a crime being observed or even recorded.
Unfortunately; one should not focus only on Axis Communications - although they have been mentioned heavily with this exploit. It is claimed that up to forty four companies, part of the ONVIF forum, an international consortium of hardware vendors including the likes of Bosch, Honeywell, HIKvision, Sony, Panasonic and Cisco could be affected.
The exploit lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol) - a widely used web services toolkit. The library, hosted on Sourceforge has been downloaded by millions of software developers and the exploit could extend beyond CCTV security cameras.
named "Devil's Ivy", because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.
A complete technical walkthrough of the exploit is has been published on Senrio's website. An interesting read showing how they identified the bug, gained access to the system and performed code execution on the exploited devices.
This exploit highlights a raising concern with the use of open source within IoT - while it can offer quick advancements with the development of products; it is proving dangerous when a widely adopted open source library contains a flaw that can impact millions of devices. Tighter code review processes and taking a closer look at code used will be needed moving forward.
Even if manufacturers release firmware patches for their products to resolve this exploit; it is still the responsibility of the consumer to actually apply the patch - which on its own could mean the exploit may never be eradicated from existence.
Open Source and IoT Security
