THE SECURITY WOES of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products. That means a single bug can impact a startling number of disparate devices. Or, as one security company’s researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk.
On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it’s calling “Devil’s Ivy,” a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. In all, the small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products. And while Genivia has already released a patch for the problem, it’s so widespread—and patching so spotty in the internet of things—that it could persist unfixed in a large swath of devices.
“We made this discovery in a single camera, but the code is used in a wide range of physical security products,” says Senrio chief operations officer Michael Tanji. “Anyone who uses one of the devices is going to be affected in one way or another.”
While internet of things devices might be the most vulnerable to the Devil’s Ivy flaw, Tanji points out that companies including IBM and Microsoft are exposed as well, though Senrio hadn’t yet identified any of those companies’ specific at-risk applications. “The scope and scale of this thing is arguably as big as anything we’ve been concerned about with computer security in recent history,” Tanji says.
Not every security researcher shares quite that code-red sense of urgency. H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio’s findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a “silly” amount of bandwidth. But he nonetheless sees it as a significant and widespread bug—and an illustration of the danger of reusing code from a small company across tens of millions of gadgets. “This vulnerability highlights how supply chain code is shared across the Internet of Things,” he writes. “With IoT, code reuse is vulnerability reuse.”
An obscure bug in 34 companies’ physical secure gadgets could leave them open to hackers.