
To see the exploit in action, check out our video on Vimeo. For full technical teardown, click here.
Summary
Given the increasingly vital role IoT plays in modern life, we strive to improve the state of IoT security and share the knowledge we gain through our research with IoT manufacturers and users.
Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport.
After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.
THE IMPACT GOES FAR BEYOND AXIS
The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server.
Summary
Given the increasingly vital role IoT plays in modern life, we strive to improve the state of IoT security and share the knowledge we gain through our research with IoT manufacturers and users.
Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport.
After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.
THE IMPACT GOES FAR BEYOND AXIS
The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server.
To help understand the magnitude and reach of this vulnerability, we turned to Genivia, the company that manages gSOAP. Genivia claims to have more than 1M downloads of gSOAP (most likely developers), and IBM, Microsoft, Adobe and Xerox as customers. On Sourceforge gSOAP was downloaded more than one thousand times in one week, and to-date, 30,000 times in 2017. Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines.
In addition, Axis is one of thousands of companies that are part of the ONVIF forum, an organization responsible maintaining software and networking protocols that are general purpose enough for a variety of companies to use in a wide range of physical security products. The forum relies on SOAP to support the ONVIF specifications, and approximately 6% of the forum members use gSOAP.
It is likely that tens of millions of products -- software products and connected devices -- are affected by Devil’s Ivy to some degree.
WHAT IS BEING DONE
Axis immediately informed Genivia, the company behind gSOAP, who released a patch. Axis also reached out to ONVIF to ensure all members of the forum are aware of the issue, and can move swiftly to develop a fix if they use gSOAP.
RECOMMENDATIONS
1. Keep physical security devices off of the public internet. As of July 1st, a search of Shodan indicated over 14,700 Axis dome cameras publicly accessible to anyone in the world. All the cameras that are vulnerable to Devil’s Ivy are potentially exploitable. Devices like security cameras should be connected to a private network, which will make exploitation much more difficult.
2. Defend IoT devices as much as possible. If you can place a firewall or other defensive mechanism in front of an IoT device, or utilize Network Address Translation (NAT), you can reduce their exposure and improve the likelihood of detecting threats against them.
3. Patch. Patching IoT devices is not always possible, even when the underlying OS is something familiar, like Windows XP. When a manufacturer does release a patch, make sure you update your devices as soon as possible. If this is not within your control, place other layers of security between your vulnerable device and the external internet.
CONCLUSION
The Internet of Things is ushering in an age of ambient computing. The more pervasive networked embedded devices (IOT) become in our lives, the more important it is to ensure they are resilient against attack. Identifying vulnerabilities in such devices is one way to help make them more secure. Devil’s Ivy was found while researching a security camera, but our research shows that a wide range of IoT devices have similar problems.
While forums like ONVIF serve a useful purpose when it comes to issues of cost, efficiency, and interoperability, it is important to remember that code reuse is vulnerability reuse. The significance of this principle in the physical security device industry should be self-evident.
The same reasons why manufacturers join ONVIF in the first place apply to issues of security as well: a community working together can more rapidly and effectively reduce risks. The speed at which Axis worked to address this issue is a testament to how seriously they take security.
Devil’s Ivy highlights the industry’s growing concern with the security of IoT. We forget or don’t realize that many of the devices we use everyday are computers— from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of everyday.
* We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.
View a demonstration of Devil's Ivy on the Axis M3004 security camera below or read the full technical teardown.
In addition, Axis is one of thousands of companies that are part of the ONVIF forum, an organization responsible maintaining software and networking protocols that are general purpose enough for a variety of companies to use in a wide range of physical security products. The forum relies on SOAP to support the ONVIF specifications, and approximately 6% of the forum members use gSOAP.
It is likely that tens of millions of products -- software products and connected devices -- are affected by Devil’s Ivy to some degree.
WHAT IS BEING DONE
Axis immediately informed Genivia, the company behind gSOAP, who released a patch. Axis also reached out to ONVIF to ensure all members of the forum are aware of the issue, and can move swiftly to develop a fix if they use gSOAP.
RECOMMENDATIONS
1. Keep physical security devices off of the public internet. As of July 1st, a search of Shodan indicated over 14,700 Axis dome cameras publicly accessible to anyone in the world. All the cameras that are vulnerable to Devil’s Ivy are potentially exploitable. Devices like security cameras should be connected to a private network, which will make exploitation much more difficult.
2. Defend IoT devices as much as possible. If you can place a firewall or other defensive mechanism in front of an IoT device, or utilize Network Address Translation (NAT), you can reduce their exposure and improve the likelihood of detecting threats against them.
3. Patch. Patching IoT devices is not always possible, even when the underlying OS is something familiar, like Windows XP. When a manufacturer does release a patch, make sure you update your devices as soon as possible. If this is not within your control, place other layers of security between your vulnerable device and the external internet.
CONCLUSION
The Internet of Things is ushering in an age of ambient computing. The more pervasive networked embedded devices (IOT) become in our lives, the more important it is to ensure they are resilient against attack. Identifying vulnerabilities in such devices is one way to help make them more secure. Devil’s Ivy was found while researching a security camera, but our research shows that a wide range of IoT devices have similar problems.
While forums like ONVIF serve a useful purpose when it comes to issues of cost, efficiency, and interoperability, it is important to remember that code reuse is vulnerability reuse. The significance of this principle in the physical security device industry should be self-evident.
The same reasons why manufacturers join ONVIF in the first place apply to issues of security as well: a community working together can more rapidly and effectively reduce risks. The speed at which Axis worked to address this issue is a testament to how seriously they take security.
Devil’s Ivy highlights the industry’s growing concern with the security of IoT. We forget or don’t realize that many of the devices we use everyday are computers— from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of everyday.
* We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.
View a demonstration of Devil's Ivy on the Axis M3004 security camera below or read the full technical teardown.