Another glaring security problem with Internet of Things devices has come to light. The details highlight the reasons why IoT security should be a front-line concern — not an afterthought. With several major attacks this year powered by botnets built on the back of compromised IoT devices, manufacturers should be looking more closely at their code. However, this latest exploit lies several layers deep in device programming. Dubbed “Devil’s Ivy” by the researchers who uncovered it, it’s a flaw within open-source software used by many devices.
Researchers uncovered the flaw initially while examining a popular security camera model by manufacturer Axis. By triggering a stack overflow in the camera’s communications software, they could gain access to the camera’s video feed. This software is open source code and used by an untold number of IoT devices as a quick and simple way to allow their hardware to interface with the Internet. Researchers alerted Axis, who confirmed the vulnerability existed in a staggering 249 disparate products. Axis developed, tested, and rapidly implemented a patch — but that does not mean the problem is over.
It is easy enough for Axis to advise those who bought its products directly that there is an urgent patch to update. However, their products — like many other IoT devices — also go on to third-party retailers, who sell their items with no connection to the parent company. Those customers are very difficult if not impossible to reach. The twisted web of suppliers and manufacturers for these products often means that when vulnerabilities do arise, they remain widespread because there is no infrastructure in place for patch distribution.
Worse still, since the Devil’s Ivy bug occurs in third-party open source code, there could be millions of other affected devices out there. While the original developer has also issued a patch and all other manufacturers have been alerted, distribution of the fix is up to them. In other words, there’s no way to know for sure how many of these loopholes will close because of the patch. There could still be tons of products on the market susceptible to takeover as a result. Unfortunately, this remains typical in the IoT industry. Devil’s Ivy further shows that more awareness is very much needed — otherwise we will continue to see hackers building massive botnets out of these products.