alphaspirit - Fotolia

How does the Devil's Ivy bug compromise security cameras?

The Devil's Ivy bug affects millions of internet-connected security cameras. Expert Judith Myerson explains how the exploit works and what can be done to prevent it.

In 2017, researchers discovered a flaw called Devil's Ivy that affected millions of internet-of-things devices. What is the Devil's Ivy bug and how can enterprises defend against it?

The Devil's Ivy bug is a vulnerability that enables hackers to operate as the root user on the targeted device.

The flaw is in the gSOAP library, a third-party toolkit that provides automated SOAP and XML data binding for C and C++. Researchers at the internet of things (IoT) security startup Senrio found the flaw in a commercial indoor security camera made by the Swedish company Axis Communications AB.

To demonstrate the flaw, the researchers hijacked an Axis model M3004 camera mounted in the home of a co-worker. During the demonstration, which the team filmed, every movement the adviser made was observed from about 3,000 miles away.

The security camera exploit is possible because of a stack-based buffer overflow vulnerability that the Senrio researchers dubbed the Devil's Ivy bug. A programming-savvy hacker could take advantage of this overflow to access the video feed of a sensitive location, such as a bank lobby. It could also potentially view a crime in progress and prevent the video from recording the crime.

The video provided in Senrio's technical advisory shows how the researchers found the Devil's Ivy bug. The vulnerability was lurking in the deep communication layers of gSOAP.

Using Nmap as a port scanner, the researchers found that port 3702, which used the Web Services Dynamic Discovery protocol (WS-Discovery), was open. The process uses WS-Discovery to load the vulnerable code from the gSOAP library to parse incoming SOAP messages.

As the unprivileged user, the researchers gained access to a shell. They then found the permissions settings in a text file on the camera. Next, they removed restrictions that prevented unprivileged users from using the reset command.

After giving the camera several minutes to process the malicious changes, the researchers were able to reset the device, which was rebooted to its factory defaults. The researchers were then prompted for a new password, giving them full remote control of the device.

To fix the Devil's Ivy bug, Axis Communications released firmware patches for around 250 of its camera models. Axis' customers include most of the top Fortune 500 companies.

In addition, Axis Communications and Genivia, the developer of gSOAP, both recommend placing the cameras and IoT devices behind a firewall that properly closes vulnerable ports.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing