Coding flaws evident in a popular open source software development kit known as gSOAP, which has been adopted in recent years by manufacturers of “smart devices,” could allow a hacker to remotely control and infect internet-connected hardware like security cameras with malware, according to research published Tuesday by IoT-focused cybersecurity firm Senrio.
The findings are significant because they highlight a series of vulnerabilities in a common coding framework that is already widely used by technology manufacturers and embedded in deployed devices. The research underscores the security development gap in some Internet of Things devices. Such vulnerabilities already have contributed to the rise of massive botnets that can be used in crippling distributed denial-of-service attacks.
In the case of an internet-connected video camera, the bug in gSOAP could be exploited by a hacker to install a backdoor implant, block an admin from making settings changes or to allow access to live video feeds.
Senrio chief technology officer Stephen Ridley and vice president of research M. Carlton first discovered the bug while probing an internet-connected camera manufactured by Axis, a Swedish technology manufacturer, for vulnerabilities. The duo dubbed the vulnerability “Devil’s Ivy.”
Axis is now providing customers with a software update that will patch the vulnerability. Even so, it’s common for users of any device to ignore or delay upgrading its software. As malware victims often discover, even old, well-known coding flaws can be continuously exploited in the wild.
A small company named Genivia originally developed gSOAP. While Genivia has already issued a patch for the vulnerability, more than 34 different companies have developed IoT products with the code. The actual number of smart devices with gSOAP code is not entirely clear.
In the past, Genivia’s open source library has been promoted by ONVIF, an electronics industry consortium that represents technology giants like U.S. internet hardware makers Siemens and Cisco. According to a statement obtained by Vice’s MotherBoard, ONVIF has notified its members of the recently uncovered issues with gSOAP.
While the coding flaw is significant, experts say that it doesn’t necessarily translate into a massive catalog of vulnerable smart devices. Firewalls and other elementary security measures would likely make these machines more difficult to hack.
Given the diversity of devices believed to be associated with gSOAP, it’s possible that some come fixed with data input controls, which would also help mitigate the threat of a backdoor implant being remotely installed. Additionally, attackers hoping to exploit the gSOAP vulnerability would need to configure attacks differently for each specific device they hope to compromise. Those adjustments would, at least in theory, force an attacker to do considerable preliminary work before launching an expansive operation.