19 Jul 2017
After discovering a potentially devastating bug in the code they use in their video cameras, a maker of high-end security cameras, Axis Communications, has taken the lead in patching an issue that, if exploited, would allow the hacker to crash or even take remote control of the device.
Hopefully others in the industry will follow suit – and quickly.
The flaw is not in their product, but rather in the code that is used in the devices. It is open-source, third-party code and is found in an innumerable number of electronic products – like security cameras. This type of “code library” is called gSOAP and is maintained by the company, Genivia. The code is not only reusable but is popular as well, because it allows “Internet of Things” (IoT) devices – like security cameras – to communicate with each other. This is great, but it does not come without a cost.
If code such as this is exploited, cybercriminals could turn the ability to communicate against the owner. By running malicious code, the attacker could black out videos or even crash the system.
As such, Genivia unveiled updated code on June 21, 2017, that fixes the vulnerability. Gevivia CEO Robert Van Engelen has stated publicly that the company has contacted all of its clients, as a majority of the customers utilize gSOAP in their products. However, according to Engelen, most of the users are not impacted by the issue.
Since then, however, one affected client, Axis, has already released a patch to plug the hole that was found in hundreds of it electronic products, and it would be a good idea for others who are vulnerable to follow suit.
That being said, it is likely that not all will, and there is no way for those purchasing the products to tell whether or not it has been done.
According to a report issued by the security company, Senrio, who discovered the flaw, “On Sourceforge, gSOAP was downloaded more than 1,000 times in one week, and 30,000 times in 2017. Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines.” This means that there are likely to be hundreds of millions potentially vulnerable devices that are likely to go unpatched.
The trend to hack IoT devices has been steadily gaining over the past year, and if these companies leave their products unpatched AND connected to the internet, the results can be potentially devastating. In addition to the threats highlighted about, It also leaves them completely vulnerable to malware that could use the devices to deploy more denial-of-service (DoS) attacks, as well. While this flaw does not increase the vulnerability to the DoS malware, it does not make them any less vulnerable, either.
So what can you do to protect yourself from IoT threats?
- Attach your surveillance devices to a secure Video Management System, as opposed to connecting the devices directly to the Internet. This one step will practically eradicate any vulnerability your devices may have.
- Change all factory settings and choose secure passwords.
- Always update software, in order to stay ahead of the threats.