Earlier this year, the IoT-focused security firm Senrio discovered a hackable flaw called Devil’s Ivy, which has the potential to put thousands of different models of security cameras at risk. The vulnerability is found in a piece of open source code called gSOAP, created and maintained by a small company named Genivia. At least 30 companies use gSOAP in their IoT products.
The criticality of this hack is not yet known, but gSOAP code is used to implement a key protocol called Open Network Video Interface Forum, a networking language for security cameras and other devices used by the ONVIF Consortium. The consortium has nearly 500 members that include Canon, Cisco, D-Link, Hitachi, Huawei, Netgear, Siemens, Sony and Toshiba, among many others.
Security experts at Senrio believe that the hack leaves server-side devices like cameras and sensors open to attack — either disabling them or allowing the collection of images and video. Senrio experts also believe that client computers could be susceptible to hackers through the vulnerability.
While Genivia issued a patch to the code in June, it is unclear how many manufacturers that use the code have issued security-patched updates or notified their customers about the need to update their firmware.
Manufacturers selling enterprise clients and consumer mobile devices have patched security vulnerabilities found on operating systems and applications via a push model. Yet, no standardized system currently exists to administer such robust security for IoT manufacturers or customers. Hence, IoT platforms have become an easy, inexpensive and susceptible target of cyberattacks.
But customer negligence contributes as well. IoT cameras become even more prone to hacker attacks as users often dismiss the importance of changing the devices’ password.
Earlier this year, hackers exploited IP cameras used to keep track of pets and as CCTVs for home security. Hundreds of households in South Korea were victimized by these hackers, who took control of more than 1,400 digital cameras, exposing many peoples’ private moments. Some of the cameras were attached to live feeds. Others collected intimate moments, which were turned into videos and uploaded to pornography sites. In one testimonial, a victim recounted her attempt to prevent such violation by turning the camera lens toward a blank wall. When she returned to the premise, she was horrified to find her camera lens facing her direction, indicating that hackers were following her movement by manipulating the camera’s orientation.