Please create an account to participate in the Slashdot moderation system


Forgot your password?
Bug The Internet Communications Privacy Security Software Hardware

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers ( 53

New submitter Aliciadivo writes: A nasty vulnerability found in Axis security cameras could allow hackers to take full control of several types of Internet of Things devices, and in some cases, software programs, too. The Senrio research team found that devices and software programs using an open source software library called gSOAP to enable their product to communicate to the internet could be affected. Stephen Ridley, founder of Senrio, said: "I bet you all these other manufacturers have the same vulnerability throughout their product lines as well. It's a vulnerability in virtually every IoT device [...] Every kind of device you can possibly think of." A spokesperson for ONVIF, an electronics industry consortium that includes Axis and has includes some members that use gSOAP, said it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected." Hundreds of thousands of devices might be affected, as a search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results. You can view Senrio Labs' video on the exploit (which they refer to as the "Devil's Ivy Exploit") here.
This discussion has been archived. No new comments can be posted.

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers

Comments Filter:
  • not a flaw (Score:4, Funny)

    by turkeydance ( 1266624 ) on Tuesday July 18, 2017 @05:07PM (#54835419)
    it's a feature. approaching a standard
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You beat me to it! Lack of security, and security flaws are intentional features of all IoT devices! If IoT devices had any security at all, that would defeat their main purpose , which is to spy on their purchasers for their real corporate owners!

      Just say NO to these IoT spies in your homes! I do!!

    • Not a feature, but it's a fair assumption that an IoT device contains either a vulnerability, or something that sends data to its master when it's not supposed to, or both. Assuming that, you have no business hooking up any such devices directly to the internet with not even a NAT to hide behind. Any IoT device should sit behind a bastard of a firewall that lets nothing out, or in case the device does need some connection to the Internet to function, is very restrictive about the connections it is allowed
      • by gnick ( 1211984 )

        In other words: isolate these things on your LAN.

        That's fine advice for slashdot users, but will be ignored by the vast majority of customers. When somebody buys an IoT device, they're likely to go through the minimum set of steps that get the functions they want running. "Extra" features, like generating the occasional SYN flood, will be enabled along the way. Neither the manufacturers nor the customers have adequate motivation to secure these things. If there were consequences for an IoT device acting up (e.g. your ISP cuts your line until you have your

        • Just so. I wouldn't even trust us slashdotters (or myself for that matter) to get this right all the time. We do need a multi pronged approach, and anomaly detection is one of them. The ISPs might be able to play a role in that, though as we've seen in the last DDOS attack by IoT devices, botnet operators have learned to fly under the radar and send only small mounts of traffic per device instead of crapflooding to the max of its extent. Detection at the ISP level is becoming harder. But I've not seen
          • Don't put your IOT devices directly on the Internet, setup a VPN at home and use that to access them. Your phone should have a VPN client included and any apps should behave just like you were on the local network. Some devices will need outbound access, but not all. You can either pass all traffic out, or do a little investigative work and setup some filtering.

            I use libreswan for VPN access, but it can be a little tricky to setup and get the routing correct. Does anyone make an easy to use VPN applian

  • by JoeDuncan ( 874519 ) on Tuesday July 18, 2017 @05:32PM (#54835533)
    Nobody could have possibly known in advance that hooking *everything* up to the internet was a security risk, right?
  • more info at Krebs: []

    “You probably wouldn’t be able to make a universal, Mirai-style exploit for this flaw because it lacks the elements of simplicity and reproduceability,” Karas said, noting that the exploit requires that an attacker be able to upload at least a 2 GB file to the Web interface for a vulnerable device.

    it's worth noting that using you can easily send several gigabytes of zeros if you can mark the communication as using gzip compression.

    • exactly its trivial to send 2GB however the manufacturers should have used a webserver that can mitigate this kind of thing

      what exactly does ONIF give anyone beyond pan tilt zoom ?


      • ONVIF attempts to make it so that you can use any camera with any VMS, and they do an alright job of it. You can be mostly certain you'll at least get video from the camera, but good luck with camera-side motion detection/video analytics, onboard storage, or any other "advanced" features.
  • by Anonymous Coward on Tuesday July 18, 2017 @05:59PM (#54835653)

    This has nothing to do with IoT. The bug is in gSOAP which is used everywhere as it's one of the go-to choices when picking a library for communication over SOAP, REST, and/or XML. Basically any company doing something with web services likely used gSOAP at one point. Here's a blurb from their website:

    "The gSOAP toolkit is used by most of the top Fortune 500 companies and all of the top 15 technology companies. Speed, reliability and flexibility, coupled with a proven track record and used by some of the largest technology vendors makes it an ideal platform to develop applications using Web services and XML processing. Applications include embedded systems, mobile devices, telecommunications, routers, online games, Web TV, banking systems, auction systems, news outlets, network management systems, grid and cloud computing platforms, and security software."

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The blame is actually not gSOAP per se. The problem is the vendor’s improper use of the gSOAP software as the library in the documentation states clearly that the preferred way to deploy services is to use Apache or IIS. Common sense, right? I understand that they rolled out their own server. It takes only one ONVIF vendor who then blames gSOAP but appears not to understand the importance of server deployment principles. Not that many ONVIF protocol users are affected because of the configuration with

  • I used to do this using Google back in 2004 searching for publicly accessible web cams and the strings that their web viewer used. Some even allowed you to control them which was awesome. If you're too stupid to add a password to any iot device, you deserve the pain that comes.

    • Yes, you're right in general, but this isn't that. this isn't a lack of credentials / poor password thing. This is a legit stack vulnerability that leads to arbitrary code execution, and a ROP chain shellcode. A password wouldn't help. []

  • Most of the shit ONVIF cameras wont let you turn that crap off.
    I dont care if the username password is "admin admin" My cameras are 100% hackerproof because they are on a private locked down network. The only gateway to the internet is the single recording PC, and even then you have to VPN in to that network to see them.

    Basically if you are dumb you put your IOT stuff on the internet. The smart people treat all of it as dangerous and put it on a network that is segmented and protected because you can not

    • Yeah, I knew I was buying a sketchy Chinese camera that wanted to phone-home for "remote access" features, but VLAN's and firewall rules work just fine and only the recording VM needs to ever get traffic from it.

      Trouble is, only networking geeks can get this kind of thing working today.

      • by Anonymous Coward

        Go over to smallnetbuilder forums. Plenty will explain both. There are even tutorials.

    • It works pretty well, until you get into things like Sonos needing an encrypted stream for Amazon Music that you can't easily firewall and proxy at the perimeter. (Not that I know of Sonos as being vulnerable.)

      It gets worse with things like the Echo, Apple TV, etc.

  • This problem will always exist while management is held to the standard of cost is more important then security approach to producing items.

System checkpoint complete.