Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers (vice.com)

Posted by BeauHD on from the open-book dept.

New submitter Aliciadivo writes: A nasty vulnerability found in Axis security cameras could allow hackers to take full control of several types of Internet of Things devices, and in some cases, software programs, too. The Senrio research team found that devices and software programs using an open source software library called gSOAP to enable their product to communicate to the internet could be affected. Stephen Ridley, founder of Senrio, said: "I bet you all these other manufacturers have the same vulnerability throughout their product lines as well. It's a vulnerability in virtually every IoT device [...] Every kind of device you can possibly think of." A spokesperson for ONVIF, an electronics industry consortium that includes Axis and has includes some members that use gSOAP, said it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected." Hundreds of thousands of devices might be affected, as a search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results. You can view Senrio Labs' video on the exploit (which they refer to as the "Devil's Ivy Exploit") here.

5 of 53 comments (clear)

  1. not a flaw by turkeydance · · Score: 3, Funny

    it's a feature. approaching a standard

    1. Re:not a flaw by Anonymous Coward · · Score: 2, Insightful

      You beat me to it! Lack of security, and security flaws are intentional features of all IoT devices! If IoT devices had any security at all, that would defeat their main purpose , which is to spy on their purchasers for their real corporate owners!

      Just say NO to these IoT spies in your homes! I do!!

  2. This was impossible to predict... by JoeDuncan · · Score: 3, Funny

    Nobody could have possibly known in advance that hooking *everything* up to the internet was a security risk, right?

  3. Bad Headline - Flaw is in gSOAP by Anonymous Coward · · Score: 5, Informative

    This has nothing to do with IoT. The bug is in gSOAP which is used everywhere as it's one of the go-to choices when picking a library for communication over SOAP, REST, and/or XML. Basically any company doing something with web services likely used gSOAP at one point. Here's a blurb from their website:

    "The gSOAP toolkit is used by most of the top Fortune 500 companies and all of the top 15 technology companies. Speed, reliability and flexibility, coupled with a proven track record and used by some of the largest technology vendors makes it an ideal platform to develop applications using Web services and XML processing. Applications include embedded systems, mobile devices, telecommunications, routers, online games, Web TV, banking systems, auction systems, news outlets, network management systems, grid and cloud computing platforms, and security software."

    1. Re:Bad Headline - Flaw is in gSOAP by Anonymous Coward · · Score: 2, Interesting

      The blame is actually not gSOAP per se. The problem is the vendor’s improper use of the gSOAP software as the library in the documentation states clearly that the preferred way to deploy services is to use Apache or IIS. Common sense, right? I understand that they rolled out their own server. It takes only one ONVIF vendor who then blames gSOAP but appears not to understand the importance of server deployment principles. Not that many ONVIF protocol users are affected because of the configuration with Apache and other protections already in place.