New Vulnerability Hits IoT Cameras

  /     /     /  
Publicated : 22/11/2024   Category : security

New Vulnerability Hits IoT Cameras


A vulnerability first seen in IoT cameras has the potential to go much, much further.


Since this is the week of Black Hat, its likely that there will be a number of articles on different vulnerabilities and hacks here at SecurityNow.com. Today, though, before I even get on an airplane heading into the desert, theres a new vulnerability with a reach that could be epic. And before I get into the vulnerability, theres something I have to type: Just because the Internet of Things involves devices of little intelligence theres no need for system architects and developers to act equally dim.
I felt the need to start with that because the latest vulnerability, dubbed
Devils Ivy
by the
researchers at Senrio
who found the flaw, is a problem that could hit millions of devices -- because its a weakness in a code library rather than in a specific device.
The problem was found in dome cameras made by Axis Communications, a company that specializes in cameras for industrial, surveillance and other non-broadcast installations. The Senrio researchers discovered that the cameras were susceptible to a
stack buffer overflow
in a routine that exists in the gSOAP open source library.
Senrio acted responsibly, alerting Genivia, the company that manages the library, that the flaw existed, and not releasing
details of the vulnerability
to the public until after the flaw had been patched. Thats the good news. Unfortunately, the bad news pretty much overwhelms the good, in this case.
Start with the fact that common code libraries are frequently used by scores of companies on software that is inserted into millions of devices. Some commenters have focused on the open source nature of the library, deciding that reusing the code is a bad practice that leads to widespread vulnerabilities.
Theyre right, in one sense: A vulnerability in frequently reused code, whether that code is in a library, function, operating system or applet means that the vulnerability will end up on far more endpoint devices than if the code were custom-developed for each instance. In another sense, though, theyre quite wrong: code reuse is not limited to open source projects and is one of the fundamental principals behind agile development and DevOps. Blaming this on open source is wrong.
For that matter, blaming it on code reuse is wrong, too. Not to put too fine a point on it, but if every application team had to independently recreate every display and communications function, every network stack, and every data retrieval method, wed have far, far fewer applications in the enterprise world than currently exist, and the IoT would have three dozen applications that did creative things like tell the temperature but nothing more.
Youre invited to attend Light Readings
Virtualizing the Cable Architecture event
– a free breakfast panel at SCTE/ISBEs Cable-Tec Expo on October 18 featuring Comcasts Rob Howald and Charters John Dickinson.
No, if theres a problem here its that development teams are still not adequately testing for things like stack buffer overflow. Its not like this sort of vulnerability is unheard of. And its not like weve never seen a vulnerability in a common library. Its time to start testing far more thoroughly, starting with the foundations.
Its also time we realized that, if the Internet of Things is going to develop, it has to develop safely. Among many other things that means designing endpoint devices so they can be safely updated and their user ID and passwords changed from factory defaults. Pretending that the rules for security dont apply just because the endpoints are sensors and controllers hasnt really worked out -- and developers are too smart to think that the magic IoT fairy will sprinkle security dust on their system to protect the users.
Finally, the owners and users of the IoT deserve some blame, too. Follow me, here: Youre about to put lots of devices on your network that cant be secured in the same way that you secure your computing devices. They watch your people, control critical functions and collect data that would be of great interest to your competitors. Dont you think you should add network protection in the form of firewall rules, IDS and IPS conditions, and meaningful segmentation? Yeah, me, too, but far too many individuals and organizations dont.
Another week, another vulnerability. Perhaps, in this week of Black Hat, well learn something meaningful from this one. Perhaps.
Related posts:
WannaCry Was Just the Beginning
False Positives Have Real Consequences
Fixing the Tech Behind the Cyberwar
— Curtis Franklin is the editor of
SecurityNow.com
. Follow him on Twitter
@kg4gwa
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
New Vulnerability Hits IoT Cameras