Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers (vice.com)

Posted by BeauHD on from the open-book dept.

New submitter Aliciadivo writes: A nasty vulnerability found in Axis security cameras could allow hackers to take full control of several types of Internet of Things devices, and in some cases, software programs, too. The Senrio research team found that devices and software programs using an open source software library called gSOAP to enable their product to communicate to the internet could be affected. Stephen Ridley, founder of Senrio, said: "I bet you all these other manufacturers have the same vulnerability throughout their product lines as well. It's a vulnerability in virtually every IoT device [...] Every kind of device you can possibly think of." A spokesperson for ONVIF, an electronics industry consortium that includes Axis and has includes some members that use gSOAP, said it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected." Hundreds of thousands of devices might be affected, as a search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results. You can view Senrio Labs' video on the exploit (which they refer to as the "Devil's Ivy Exploit") here.

53 comments

  1. not a flaw by turkeydance · · Score: 3, Funny

    it's a feature. approaching a standard

    1. Re:not a flaw by Anonymous Coward · · Score: 2, Insightful

      You beat me to it! Lack of security, and security flaws are intentional features of all IoT devices! If IoT devices had any security at all, that would defeat their main purpose , which is to spy on their purchasers for their real corporate owners!

      Just say NO to these IoT spies in your homes! I do!!

    2. Re:not a flaw by JaredOfEuropa · · Score: 1

      Not a feature, but it's a fair assumption that an IoT device contains either a vulnerability, or something that sends data to its master when it's not supposed to, or both. Assuming that, you have no business hooking up any such devices directly to the internet with not even a NAT to hide behind. Any IoT device should sit behind a bastard of a firewall that lets nothing out, or in case the device does need some connection to the Internet to function, is very restrictive about the connections it is allowed to make.

      In other words: isolate these things on your LAN. And avoid devices that do not really need Internet from a functional perspective yet require a connection because whatever.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    3. Re:not a flaw by Anonymous Coward · · Score: 0

      You're a nuanced Luddite.

    4. Re:not a flaw by Anonymous Coward · · Score: 0

      The S in IoT stands for security.

    5. Re:not a flaw by gnick · · Score: 1

      In other words: isolate these things on your LAN.

      That's fine advice for slashdot users, but will be ignored by the vast majority of customers. When somebody buys an IoT device, they're likely to go through the minimum set of steps that get the functions they want running. "Extra" features, like generating the occasional SYN flood, will be enabled along the way. Neither the manufacturers nor the customers have adequate motivation to secure these things. If there were consequences for an IoT device acting up (e.g. your ISP cuts your line until you have your shit sorted), we'd see a change of behavior on both sides. Right now, the only consequences of your IoT toaster participating in a DDoS attack are effectively invisible.

      --
      He's getting rather old, but he's a good mouse.
    6. Re:not a flaw by JaredOfEuropa · · Score: 1

      Just so. I wouldn't even trust us slashdotters (or myself for that matter) to get this right all the time. We do need a multi pronged approach, and anomaly detection is one of them. The ISPs might be able to play a role in that, though as we've seen in the last DDOS attack by IoT devices, botnet operators have learned to fly under the radar and send only small mounts of traffic per device instead of crapflooding to the max of its extent. Detection at the ISP level is becoming harder. But I've not seen any client side solutions that I'd call consumer friendly.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    7. Re:not a flaw by h4ck7h3p14n37 · · Score: 1

      Don't put your IOT devices directly on the Internet, setup a VPN at home and use that to access them. Your phone should have a VPN client included and any apps should behave just like you were on the local network. Some devices will need outbound access, but not all. You can either pass all traffic out, or do a little investigative work and setup some filtering.

      I use libreswan for VPN access, but it can be a little tricky to setup and get the routing correct. Does anyone make an easy to use VPN appliance?

  2. It's not a *security* camera... by Anonymous Coward · · Score: 0

    ... if it's connected to the internet. Email isn't secure either. Who'd a thought?

    1. Re:It's not a *security* camera... by Anonymous Coward · · Score: 0

      I think some don't know about security like you don't know about grammar/spelling -- who'd of / who'd have, never who'd a. ho dhor ho de dor.

  3. Re:Would the Rust programming language help? by Anonymous Coward · · Score: 0

    LOL. Isn't that spelled J-A-V-A?

  4. I'm Confused - or someone else is by Anonymous Coward · · Score: 0

    "it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." "

    The members have been notified, but it is NOT up to them to handle it?
    Then who the hell is it up to?

    Oh, wait - is this just another example of poor writing on behalf of the editors?

  5. Overhyped by Anonymous Coward · · Score: 0

    Overhyped article. It doesnt affect every IoT device. Typical fearmongering from Vice

  6. Re:Would the Rust programming language help? by Anonymous Coward · · Score: 0

    But - does Rust run on a Mac?

  7. Re:Would the Rust programming language help? by Anonymous Coward · · Score: 1

    You should post this informative news about Rust in a C++ forum.

    Those guys need all the help they can get!

  8. This was impossible to predict... by JoeDuncan · · Score: 3, Funny

    Nobody could have possibly known in advance that hooking *everything* up to the internet was a security risk, right?

    1. Re:This was impossible to predict... by Neuronwelder · · Score: 1

      Well said! Here is a THINKER!!!

    2. Re:This was impossible to predict... by Anonymous Coward · · Score: 0

      Who needs to hack into those billions of IoT devices when they all upload their data to a bunch of cloud servers? Why go after the small fish when there are whales to be harvested out there. It seems every week that there is a major security breach where your data was stolen by a hacker or a disgruntled employee, or because the company that made the IoT device just outright sold your data to the highest bidder. If your data is not stored on devices you control, it is at risk.

  9. Krebs by Gravis+Zero · · Score: 1

    more info at Krebs: https://krebsonsecurity.com/20...

    “You probably wouldn’t be able to make a universal, Mirai-style exploit for this flaw because it lacks the elements of simplicity and reproduceability,” Karas said, noting that the exploit requires that an attacker be able to upload at least a 2 GB file to the Web interface for a vulnerable device.

    it's worth noting that using you can easily send several gigabytes of zeros if you can mark the communication as using gzip compression.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Krebs by johnjones · · Score: 1

      exactly its trivial to send 2GB however the manufacturers should have used a webserver that can mitigate this kind of thing

      what exactly does ONIF give anyone beyond pan tilt zoom ?

       

    2. Re:Krebs by schitso · · Score: 1

      ONVIF attempts to make it so that you can use any camera with any VMS, and they do an alright job of it. You can be mostly certain you'll at least get video from the camera, but good luck with camera-side motion detection/video analytics, onboard storage, or any other "advanced" features.

    3. Re:Krebs by Anonymous Coward · · Score: 0

      ONVIF is getting there with video analytics, but that's recent.

      No surprise really - standards always trail proprietary extensions, mostly because standards tend to evolve from proprietary standards.

      My current beef with ONVIF would be *audio* analytics, that's far easier with Axis proprietary "VAPIX".

  10. Re: Would the Rust programming language help? by Anonymous Coward · · Score: 0

    Your recommendation has merit, but how can we convince millennial programmers to use Rust?

  11. Re: Reasons why I don't like the Internet of Thing by TheOuterLinux · · Score: 1

    But think of the children! Trackers for everyone! Biometric scanners all around! All hail Facefarm. Big Brother loves you. People I don't want to understand or acknowledge are all "terrorists" because differences and the potential of being wrong is terrifying. IoT vulnerabilities aren't bugs, but features for sheeple that need to feel like guardian angels exist and that the "1984" that millenials joke about is someone else's fault and is inevitable. People in the tech world like to think that their niche is all good and that black hats are something else unrelated to them. So, we "good people" imagine that the only ones watching are intelligence agencies or white hats, deluding ourselves and tolerating IoT vulnerabilities. The companies that make them only care about money and seem to have zero responsibility for them. Most consumers aren't even aware at all. Just wait until quantum cloud computing and AI becomes a normal thing; it's going to be a Theresa May wet dream.

  12. Re: Would the Rust programming language help? by Anonymous Coward · · Score: 0

    That's easy... offer users a chance to win free gender reassignment surgery!

  13. Bad Headline - Flaw is in gSOAP by Anonymous Coward · · Score: 5, Informative

    This has nothing to do with IoT. The bug is in gSOAP which is used everywhere as it's one of the go-to choices when picking a library for communication over SOAP, REST, and/or XML. Basically any company doing something with web services likely used gSOAP at one point. Here's a blurb from their website:

    "The gSOAP toolkit is used by most of the top Fortune 500 companies and all of the top 15 technology companies. Speed, reliability and flexibility, coupled with a proven track record and used by some of the largest technology vendors makes it an ideal platform to develop applications using Web services and XML processing. Applications include embedded systems, mobile devices, telecommunications, routers, online games, Web TV, banking systems, auction systems, news outlets, network management systems, grid and cloud computing platforms, and security software."

    1. Re:Bad Headline - Flaw is in gSOAP by Anonymous Coward · · Score: 2, Interesting

      The blame is actually not gSOAP per se. The problem is the vendor’s improper use of the gSOAP software as the library in the documentation states clearly that the preferred way to deploy services is to use Apache or IIS. Common sense, right? I understand that they rolled out their own server. It takes only one ONVIF vendor who then blames gSOAP but appears not to understand the importance of server deployment principles. Not that many ONVIF protocol users are affected because of the configuration with Apache and other protections already in place.

  14. Not a new thing by DatbeDank · · Score: 1

    I used to do this using Google back in 2004 searching for publicly accessible web cams and the strings that their web viewer used. Some even allowed you to control them which was awesome. If you're too stupid to add a password to any iot device, you deserve the pain that comes.

    1. Re:Not a new thing by Anonymous Coward · · Score: 0

      Some cameras don't require a password to access the camera via some modes, such as ONVIF. Dahua is one example of a camera that allows access to ONVIF without a password (rather, a single fixed user/password: admin/admin). Same with RTSP. Many, many cameras BY DESIGN allow stream access to a camera at :554. No password. Some allow authentication over RTSP; some allow turning off that authentication; some just don't care. Same for snapshot access; not unusual to not require a password.

      The worst offender in all IoT? Foscam and the hundreds of camera "makers" that use that bottom-cheap Made in China IP camera. Not an "if", not even a "when", but a "how many" times these cameras spy on their owners.

      Axis I am sort of surprised, but I think in the last 10 years it has gone the cheap route, too. gSOAP being a common failure is not an excuse.

    2. Re:Not a new thing by Lt.Hawkins · · Score: 1

      Yes, you're right in general, but this isn't that. this isn't a lack of credentials / poor password thing. This is a legit stack vulnerability that leads to arbitrary code execution, and a ROP chain shellcode. A password wouldn't help.

      http://blog.senr.io/devilsivy....

      --
      -- My Sig is a P228.
  15. Sadly.... by Lumpy · · Score: 1

    Most of the shit ONVIF cameras wont let you turn that crap off.
    I dont care if the username password is "admin admin" My cameras are 100% hackerproof because they are on a private locked down network. The only gateway to the internet is the single recording PC, and even then you have to VPN in to that network to see them.

    Basically if you are dumb you put your IOT stuff on the internet. The smart people treat all of it as dangerous and put it on a network that is segmented and protected because you can not know what these damn things do because every company has to hide their own secrets inside them.

    --
    Do not look at laser with remaining good eye.
    1. Re:Sadly.... by bill_mcgonigle · · Score: 1

      Yeah, I knew I was buying a sketchy Chinese camera that wanted to phone-home for "remote access" features, but VLAN's and firewall rules work just fine and only the recording VM needs to ever get traffic from it.

      Trouble is, only networking geeks can get this kind of thing working today.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Sadly.... by aaarrrgggh · · Score: 1

      It works pretty well, until you get into things like Sonos needing an encrypted stream for Amazon Music that you can't easily firewall and proxy at the perimeter. (Not that I know of Sonos as being vulnerable.)

      It gets worse with things like the Echo, Apple TV, etc.

    3. Re: Sadly.... by Anonymous Coward · · Score: 0

      There's a PDF requiring registration at Acsdemia.edu that's all about Sonis vulnerabilities. Use it harden your LAN: "Security Issues of Contemporary Multimedia Implementations The Case of Sonos and SonosNet."

      (slashdot screened the link)

    4. Re: Sadly.... by aaarrrgggh · · Score: 1

      Thanks for the info. So Sonos now gets its own vlan with a firewall on port 1400 to at least manage xss and remote code execution issues... Not perfect, but likely the best we can do.

  16. I'm building a IOT device right now!! by Anonymous Coward · · Score: 0

    You know what makes mine different??
    I will allow full control to the users/owners of the device.. if access is not needed outside the LAN it will jot cross that line.. won't have any openings for incoming connections at the moment just a simple HTML page..

    I will provide granular contol options, why??
    When I was asked to start this product they said it must be wifi connected, I asked why?? What functions/benefits do you get over a LCD screen. The customer explained what they wanted and I agreed with stipulations that the user gets control..
    there are only a few functions that internet accesss provides a benefit to anyone so these will be user configurable and controllable...

    Next o will have to implement some way to let users/owners integrate that with third party servers so all IOT things can be monitored for one spot

  17. Who knew IoT security could be so hard? by Nyder · · Score: 1

    This problem will always exist while management is held to the standard of cost is more important then security approach to producing items.

    --
    Be seeing you...
    1. Re:Who knew IoT security could be so hard? by Anonymous Coward · · Score: 0

      Security is hard! Let's go shopping.

  18. Who knew security could be so affordable? by Anonymous Coward · · Score: 0

    A small security related deal. Humble Bundle in the book section has plenty of security/hacking/cryptography books for $15. A very good deal.

  19. Re:Would the Rust programming language help? by Dagger2 · · Score: 1

    To be specific, since I also saw the /. thread from a few days ago and I know some people need a little help understanding this: Rust is a solution to some classes of IoT security problems. It's not a solution to all classes of IoT security problems.

    Apparently this particular issue is a stack buffer overflow that leads to remote code execution, which seems like exactly the sort of bug that wouldn't have been possible if the library had been written in Rust. So, it would've helped quite a lot here.

  20. It's the Appernet of Apps! by Anonymous Coward · · Score: 0

    Only LUDDITES expect LUDDITE cameras to have LUDDITE security! Modern app appers use appy Appernet of App apps to app other apps!

    Apps!

  21. Its worse than that by Anonymous Coward · · Score: 0

    Take Swann DVR's for example, straight out of the box if one was to configure an admin password and connect it to the net using DDNS (swanndvr.net) then ANYONE can use software to connect to the DVR using any username/password that they choose, it literally accepted everyone. Only after creating a guest user account with password was I able to stop this. Nowhere does it state to do that in manuals nor has anyone else noticed this through searching...

    1. Re:Its worse than that by Anonymous Coward · · Score: 0

      ok tell the ip of one with HBO content on it!

  22. Re:Would the Rust programming language help? by arglebargle_xiv · · Score: 1

    You're playing the game wrong, you have to say the name of a problem out loud five times before you rust flakes are allowed to start appearing, not just once. See this reference. Also, I believe a mirror should be involved.

  23. Re: Would the Rust programming language help? by csimpkin · · Score: 1

    I have, admittedly, only worked with a few microcontrollers like what is going in a lot of IoT devices. But, none of them had segmented memory like x86 and x64 that gives rise to the Segmentation Fault.

  24. Sadly....Networks. by Anonymous Coward · · Score: 1

    Go over to smallnetbuilder forums. Plenty will explain both. There are even tutorials.

  25. Acronym by Anonymous Coward · · Score: 0

    IoT; The 'S' is for Security!

  26. wrong name by Anonymous Coward · · Score: 0

    I(di)oT

  27. Internet of Trash by Bob+the+Super+Hamste · · Score: 1

    I always thought IoT stood for Internet of Trash. So far that hypothesis holds.

    --
    Time to offend someone
  28. Just Stop... by Anonymous Coward · · Score: 0

    ...using SOAP already. Gah, a cumbersome framework.