Devil’s Ivy (or CVE-2017-9765) is a stack buffer overflow vulnerability identified by Senrio, a U.S.-based Internet-of-Things (IoT) security firm based in Portland, OR. They first posted about the issue on their website on July 18, 2017.
Discovery of Devil’s Ivy and the origin of the name
The irony is that the flaw was discovered while analysing a security camera (model no. M3004) manufactured by multinational security company Axis Communications. Senrio soon determined that Devil’s Ivy was present in 249 out of 252 of Axis camera models.
The bug was identified in a code called gSOAP (Simple Object Access Protocol), an open source third-party code library made by Genivia and found in a multitude of physical security products such as the aforementioned cameras.
As to why Senrio named the hackable code Devil’s Ivy, they released the following statement on their website:
“We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.”
The dangers of Devil’s Ivy
When Devil’s Ivy is exploited, it enables hackers to access a camera’s video feed and prevent anyone else (including the owner) from accessing the feed. They could also use the weakness to install malware to the target camera, and the worst part is that all of these things could be done remotely.
This creates a serious danger for places that use security cameras as a major safety tool, and buildings such as banks are especially at risk. Cybercriminals could hack into a bank’s security camera feed and use it to make robbing the bank an easier task. They could stop others from accessing the video feed, manipulate it so that it doesn’t show the crime, or they could delete it to remove evidence.
Devil’s Ivy and its far-reaching effects
gSOAP is a code used in a wide variety of physical security products such as the Axis communications cameras. Genivia CEO and gSOAP inventor Robert van Engelen states his company has 34 clients using the code library, but he declined to specify the names of the companies.
This means hackers have the potential ability be able to control thousands of devices all at once and that Devil’s Ivy could spread to tens of millions of products (software, IoT devices, and other connected tools).
Robert van Engelen disagrees with this assessment, though. The gSOAP inventor says that only devices that act as servers are susceptible to the hack and not clients because they don’t have an open internet connection. However, Senrio stands by their findings. According to the IoT security firm, vulnerable servers could also be used to spread Devil’s Ivy to computers that use gSOAP as clients.
What has been done to prevent the spread of Devil’s Ivy
When Axis Communications was made aware of the problem, they reached out to Genivia at once. The company behind the code library has since released a patch update to rectify the issue and advised all users to upgrade the firmware of their devices.
Axis also informed the Open Network Video Interface Forum (ONVIF) — a global open industry forum they formed in 2008 together with other security device manufacturers Bosch and Sony — of the situation . Since some members of ONVIF use gSOAP, Axis wanted to make sure that they knew about the Devil’s Ivy threat so these members could fix the issue immediately.
Secure yourself with Hotspot Shield
Do you want to secure your IoT devices at home or at your place of business? If so, a high-quality VPN such as Hotspot Shield can help you. Our VPN has tons of benefits for your privacy and security online.
Visit our website today and download Hotspot Shield absolutely free. Our VPN is available for Windows, Mac OS, Android, and iOS. You can also read up on the latest tech news by checking out our blog.