Friday, July 21, 2017

Devil's Ivy vulnerability targets connected cameras

By Nick Flaherty www.flaherty.co.uk

Security researchers have identified yet another vulnerability in Internet-connected video cameras, calling it Devil's Ivy.

The team at Senrio found that 249 models out of 251 cameras from Axis Communications suffered from a stack overflow vulnerability that allowed malware to be injected. This isn't even about protecting the data sent from the camera as part of the Internet of Things (IoT), but attacking the hardware of the camera itself to provide access to that data directly.

The name Devil's Ivy comes from the fact that the problem is difficult to address, and a result of problems with software libraries. However, this is a hole in the software, not malware that is moving across the IoT.

Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP says the team at Senrio. When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to be secure in an area such as a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.

This highlights a problem in the embedded software development process.

"Pervasive vulnerabilities in third-party libraries are a well understood problem and highlights something that we, as a community of both security experts and software engineers, need to work together to resolve," said Chris Schmidt, senior manager for research at EDA tool vendor Synopsys. 

"Software will continue to depend more and more on code re-use and third-party libraries and frameworks and this problem stems from how software is written now," he said. "Engineers often go out of their way to select a library from a catalogue of hundreds of possibilities which most closely match the capabilities they desire with the smallest possible footprint. More often than not, this results in the use of immature code which compounds when applications inherit the risks, bugs, and flaws that exist across all those purpose-built libraries they’ve imported to support the capabilities they require for the application.

"Sites like StackOverflow provide a fertile breeding ground for insecure code, owing to the number of inexperienced, but well-meaning engineers sharing code solutions to specific problems online; forums that are generally closed to people outside of specific industries, types of applications, languages, or frameworks breed pervasive vulnerabilities due to the lack of visibility outside of a specific group of users," he said.

"Organisations can help temper the wildfire of these types of pervasive security issues by enforcing policies that require verification and independent review of third-party code before it’s used; however this generally doesn’t scale and severely limits the ability of engineers to innovate at a competitive speed."

This needs more security testing.

"We are now bearing witness to a world where mass produced IoT devices lack any reasonable program for vulnerability identification and management. This, coupled with weak authentication, means that many of these devices are just waiting for their turn to become victims of the hack of the week club," said ​Mike Ahmadi, global director of critical systems security at Synopsys,

"We have managed to work our way into a hole, and it is going to get a lot worse before it gets better. The still prevalent lack of vulnerability identification and weak authentication by device manufacturers means that we potentially face decades of problems. I hate to paint a grim picture, but hopefully it will cause organisations to dedicate more resources towards proactively addressing these issues."

Related stories:

No comments:

PLATINUM SPONSOR

South West Innovation News - news from across the region for oneof the world's hottest tech clusters