Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers (vice.com)

Posted by BeauHD on from the open-book dept.

New submitter Aliciadivo writes: A nasty vulnerability found in Axis security cameras could allow hackers to take full control of several types of Internet of Things devices, and in some cases, software programs, too. The Senrio research team found that devices and software programs using an open source software library called gSOAP to enable their product to communicate to the internet could be affected. Stephen Ridley, founder of Senrio, said: "I bet you all these other manufacturers have the same vulnerability throughout their product lines as well. It's a vulnerability in virtually every IoT device [...] Every kind of device you can possibly think of." A spokesperson for ONVIF, an electronics industry consortium that includes Axis and has includes some members that use gSOAP, said it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected." Hundreds of thousands of devices might be affected, as a search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results. You can view Senrio Labs' video on the exploit (which they refer to as the "Devil's Ivy Exploit") here.

27 of 53 comments (clear)

  1. not a flaw by turkeydance · · Score: 3, Funny

    it's a feature. approaching a standard

    1. Re:not a flaw by Anonymous Coward · · Score: 2, Insightful

      You beat me to it! Lack of security, and security flaws are intentional features of all IoT devices! If IoT devices had any security at all, that would defeat their main purpose , which is to spy on their purchasers for their real corporate owners!

      Just say NO to these IoT spies in your homes! I do!!

    2. Re:not a flaw by JaredOfEuropa · · Score: 1

      Not a feature, but it's a fair assumption that an IoT device contains either a vulnerability, or something that sends data to its master when it's not supposed to, or both. Assuming that, you have no business hooking up any such devices directly to the internet with not even a NAT to hide behind. Any IoT device should sit behind a bastard of a firewall that lets nothing out, or in case the device does need some connection to the Internet to function, is very restrictive about the connections it is allowed to make.

      In other words: isolate these things on your LAN. And avoid devices that do not really need Internet from a functional perspective yet require a connection because whatever.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    3. Re:not a flaw by gnick · · Score: 1

      In other words: isolate these things on your LAN.

      That's fine advice for slashdot users, but will be ignored by the vast majority of customers. When somebody buys an IoT device, they're likely to go through the minimum set of steps that get the functions they want running. "Extra" features, like generating the occasional SYN flood, will be enabled along the way. Neither the manufacturers nor the customers have adequate motivation to secure these things. If there were consequences for an IoT device acting up (e.g. your ISP cuts your line until you have your shit sorted), we'd see a change of behavior on both sides. Right now, the only consequences of your IoT toaster participating in a DDoS attack are effectively invisible.

      --
      He's getting rather old, but he's a good mouse.
    4. Re:not a flaw by JaredOfEuropa · · Score: 1

      Just so. I wouldn't even trust us slashdotters (or myself for that matter) to get this right all the time. We do need a multi pronged approach, and anomaly detection is one of them. The ISPs might be able to play a role in that, though as we've seen in the last DDOS attack by IoT devices, botnet operators have learned to fly under the radar and send only small mounts of traffic per device instead of crapflooding to the max of its extent. Detection at the ISP level is becoming harder. But I've not seen any client side solutions that I'd call consumer friendly.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re:not a flaw by h4ck7h3p14n37 · · Score: 1

      Don't put your IOT devices directly on the Internet, setup a VPN at home and use that to access them. Your phone should have a VPN client included and any apps should behave just like you were on the local network. Some devices will need outbound access, but not all. You can either pass all traffic out, or do a little investigative work and setup some filtering.

      I use libreswan for VPN access, but it can be a little tricky to setup and get the routing correct. Does anyone make an easy to use VPN appliance?

  2. Re:Would the Rust programming language help? by Anonymous Coward · · Score: 1

    You should post this informative news about Rust in a C++ forum.

    Those guys need all the help they can get!

  3. This was impossible to predict... by JoeDuncan · · Score: 3, Funny

    Nobody could have possibly known in advance that hooking *everything* up to the internet was a security risk, right?

    1. Re:This was impossible to predict... by Neuronwelder · · Score: 1

      Well said! Here is a THINKER!!!

  4. Krebs by Gravis+Zero · · Score: 1

    more info at Krebs: https://krebsonsecurity.com/20...

    “You probably wouldn’t be able to make a universal, Mirai-style exploit for this flaw because it lacks the elements of simplicity and reproduceability,” Karas said, noting that the exploit requires that an attacker be able to upload at least a 2 GB file to the Web interface for a vulnerable device.

    it's worth noting that using you can easily send several gigabytes of zeros if you can mark the communication as using gzip compression.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Krebs by johnjones · · Score: 1

      exactly its trivial to send 2GB however the manufacturers should have used a webserver that can mitigate this kind of thing

      what exactly does ONIF give anyone beyond pan tilt zoom ?

       

    2. Re:Krebs by schitso · · Score: 1

      ONVIF attempts to make it so that you can use any camera with any VMS, and they do an alright job of it. You can be mostly certain you'll at least get video from the camera, but good luck with camera-side motion detection/video analytics, onboard storage, or any other "advanced" features.

  5. Re: Reasons why I don't like the Internet of Thing by TheOuterLinux · · Score: 1

    But think of the children! Trackers for everyone! Biometric scanners all around! All hail Facefarm. Big Brother loves you. People I don't want to understand or acknowledge are all "terrorists" because differences and the potential of being wrong is terrifying. IoT vulnerabilities aren't bugs, but features for sheeple that need to feel like guardian angels exist and that the "1984" that millenials joke about is someone else's fault and is inevitable. People in the tech world like to think that their niche is all good and that black hats are something else unrelated to them. So, we "good people" imagine that the only ones watching are intelligence agencies or white hats, deluding ourselves and tolerating IoT vulnerabilities. The companies that make them only care about money and seem to have zero responsibility for them. Most consumers aren't even aware at all. Just wait until quantum cloud computing and AI becomes a normal thing; it's going to be a Theresa May wet dream.

  6. Bad Headline - Flaw is in gSOAP by Anonymous Coward · · Score: 5, Informative

    This has nothing to do with IoT. The bug is in gSOAP which is used everywhere as it's one of the go-to choices when picking a library for communication over SOAP, REST, and/or XML. Basically any company doing something with web services likely used gSOAP at one point. Here's a blurb from their website:

    "The gSOAP toolkit is used by most of the top Fortune 500 companies and all of the top 15 technology companies. Speed, reliability and flexibility, coupled with a proven track record and used by some of the largest technology vendors makes it an ideal platform to develop applications using Web services and XML processing. Applications include embedded systems, mobile devices, telecommunications, routers, online games, Web TV, banking systems, auction systems, news outlets, network management systems, grid and cloud computing platforms, and security software."

    1. Re:Bad Headline - Flaw is in gSOAP by Anonymous Coward · · Score: 2, Interesting

      The blame is actually not gSOAP per se. The problem is the vendor’s improper use of the gSOAP software as the library in the documentation states clearly that the preferred way to deploy services is to use Apache or IIS. Common sense, right? I understand that they rolled out their own server. It takes only one ONVIF vendor who then blames gSOAP but appears not to understand the importance of server deployment principles. Not that many ONVIF protocol users are affected because of the configuration with Apache and other protections already in place.

  7. Not a new thing by DatbeDank · · Score: 1

    I used to do this using Google back in 2004 searching for publicly accessible web cams and the strings that their web viewer used. Some even allowed you to control them which was awesome. If you're too stupid to add a password to any iot device, you deserve the pain that comes.

    1. Re:Not a new thing by Lt.Hawkins · · Score: 1

      Yes, you're right in general, but this isn't that. this isn't a lack of credentials / poor password thing. This is a legit stack vulnerability that leads to arbitrary code execution, and a ROP chain shellcode. A password wouldn't help.

      http://blog.senr.io/devilsivy....

      --
      -- My Sig is a P228.
  8. Sadly.... by Lumpy · · Score: 1

    Most of the shit ONVIF cameras wont let you turn that crap off.
    I dont care if the username password is "admin admin" My cameras are 100% hackerproof because they are on a private locked down network. The only gateway to the internet is the single recording PC, and even then you have to VPN in to that network to see them.

    Basically if you are dumb you put your IOT stuff on the internet. The smart people treat all of it as dangerous and put it on a network that is segmented and protected because you can not know what these damn things do because every company has to hide their own secrets inside them.

    --
    Do not look at laser with remaining good eye.
    1. Re:Sadly.... by bill_mcgonigle · · Score: 1

      Yeah, I knew I was buying a sketchy Chinese camera that wanted to phone-home for "remote access" features, but VLAN's and firewall rules work just fine and only the recording VM needs to ever get traffic from it.

      Trouble is, only networking geeks can get this kind of thing working today.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Sadly.... by aaarrrgggh · · Score: 1

      It works pretty well, until you get into things like Sonos needing an encrypted stream for Amazon Music that you can't easily firewall and proxy at the perimeter. (Not that I know of Sonos as being vulnerable.)

      It gets worse with things like the Echo, Apple TV, etc.

    3. Re: Sadly.... by aaarrrgggh · · Score: 1

      Thanks for the info. So Sonos now gets its own vlan with a firewall on port 1400 to at least manage xss and remote code execution issues... Not perfect, but likely the best we can do.

  9. Who knew IoT security could be so hard? by Nyder · · Score: 1

    This problem will always exist while management is held to the standard of cost is more important then security approach to producing items.

    --
    Be seeing you...
  10. Re:Would the Rust programming language help? by Dagger2 · · Score: 1

    To be specific, since I also saw the /. thread from a few days ago and I know some people need a little help understanding this: Rust is a solution to some classes of IoT security problems. It's not a solution to all classes of IoT security problems.

    Apparently this particular issue is a stack buffer overflow that leads to remote code execution, which seems like exactly the sort of bug that wouldn't have been possible if the library had been written in Rust. So, it would've helped quite a lot here.

  11. Re:Would the Rust programming language help? by arglebargle_xiv · · Score: 1

    You're playing the game wrong, you have to say the name of a problem out loud five times before you rust flakes are allowed to start appearing, not just once. See this reference. Also, I believe a mirror should be involved.

  12. Re: Would the Rust programming language help? by csimpkin · · Score: 1

    I have, admittedly, only worked with a few microcontrollers like what is going in a lot of IoT devices. But, none of them had segmented memory like x86 and x64 that gives rise to the Segmentation Fault.

  13. Sadly....Networks. by Anonymous Coward · · Score: 1

    Go over to smallnetbuilder forums. Plenty will explain both. There are even tutorials.

  14. Internet of Trash by Bob+the+Super+Hamste · · Score: 1

    I always thought IoT stood for Internet of Trash. So far that hypothesis holds.

    --
    Time to offend someone