‘Devil’s Ivy’ Is Another Wake-Up Call for IoT Security
There’s been another wake-up call concerning our old friend the internet of things. As usual, it comes in the form of yet another security vulnerability in the wild. Although the amount of damage this one can do remains uncertain, we know it affects an extremely large number of devices, and at the very least can be used to disable security cameras from one affected company.
Ultimately, the amount of damage it will cause will depend on whether users of affected products are implementing best security practices when it comes to connected devices. This includes not only keeping devices patched — if possible — but other actions such as keeping IoT security devices protected behinds firewalls.
The vulnerability — called Devil’s Ivy or CVE-2017-9765 — was made public last week by Senrio, a company that specializes in IoT security. It initially found the bug in the M3004 model security camera marketed by Axis Communications, but further research found that 249 of Axis’s 251 surveillance camera models are affected.
Although that’s of lot of devices, it’s only the tip of the iceberg, as the problem isn’t with code that’s native to Axis products but is in gSOAP, an open source web services library that’s used by many developers. Media outlets are reporting that 34 companies use gSOAP — a list that includes Microsoft, IBM, Xerox and Adobe. Read more…