A vulnerability codenamed Devil's Ivy is putting thousands of Internet-connected devices at risk of hacking.
Discovered by security researchers from Senrio, the flaw affects gSOAP, a C/C++ library widely used in the development of firmware for embedded devices.
gSOAP is a dual licensed (free and commercial) product developed by Genivia, who on its website says the library will help companies in the "development of [...] products [that] meet the latest industry standards for XML, XML Web services, WSDL and SOAP, REST, JSON, WS-Security, WS-Trust with SAML, WS-ReliableMessaging, WS-Discovery, TR-069, ONVIF, AWS, WCF, and more."
Senrio researchers initially discovered the vulnerability while analyzing the firmware of the Axis M3004 security camera.
After contacting the camera vendor with their findings, Axis told Senrio that the Devil's Ivy vulnerability affects 249 of 252 security camera models the company makes, which use firmware that includes the gSOAP toolkit.
The vulnerability is a simple buffer overflow, but Senrio researchers have managed to use it to execute code on the Axis security camera
[...] The problem is that gSOAP is very popular among many IoT and networking equipment vendors. On their website, Genivia claims the library was downloaded over one million times.
[...] A technical report detailing the vulnerability is available here. Devil's Ivy is tracked as CVE-2017-9765.
Source: BleepingComputer
Additional Coverage at:
Advisory from Genevia.
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @12:10AM (6 children)
This is what you get when you try to build real products with children's toys. Fuck IoT.
(Score: 4, Informative) by Arik on Wednesday July 19 2017, @03:19AM (4 children)
and the list goes on.
This is Crapware. Free Crapware is still Crapware. No matter how many times it's recycled, it won't cease to be Crapware.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @05:57AM (2 children)
gSOAP is one of the most respected web services libraries and it's used by thousands of companies and almost all of the top 500. It generates web service glue code so you don't have to write that crap by hand. It isn't some random, new library.
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @02:15PM (1 child)
Spotted the web monkey.
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @03:55PM
wrong story [soylentnews.org]
(Score: 2) by tibman on Thursday July 20 2017, @01:29AM
Might as well say http is free crapware then. Those are just data exchange formats. JSON RFC, for example: https://tools.ietf.org/html/rfc7159 [ietf.org]
I know you hate javascript but json isn't executing anything in your browser : )
SN won't survive on lurkers alone. Write comments.
(Score: 2) by tibman on Thursday July 20 2017, @01:29AM
C and C++ are children's toys now?
SN won't survive on lurkers alone. Write comments.
(Score: 2) by MichaelDavidCrawford on Wednesday July 19 2017, @12:15AM (3 children)
It makes sense for a fighter plane to be controlled by computers, but not passenger jets.
Do our Things really _need_ to be on the Internet?
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Informative) by mth on Wednesday July 19 2017, @12:23AM
There are certainly things that are connected to the net for no good reason, but in the case of security cameras, being able to access them remotely is their main purpose.
(Score: 2) by LoRdTAW on Wednesday July 19 2017, @11:53AM (1 child)
Need? No. Want, *MAYBE*. My only IoT desire is a washer/dryer that texts me that the cycle is finished. Big mental block for me when I toss in a load and forget after doing something else. Maybe an oven that does the same when it's on a timer. Other than that, I have never thought to myself "Gee, wouldn't it be great if my toaster/refrigerator/airconditioner/TV/microwave/lamp were connected to the internet." None of those devices perform a function that needs remote control or monitoring.
Remote control I can understand. But not IoT remote control. No need for me to turn my lights on from a restaurant as a recent commercial would like you to believe. However, I sometimes forget to turn a light off downstairs every now and then. Would be nice if I could just check an app on my phone.
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @03:35PM
So now you own a washing machine / oven / house light system. That didn't take much arm wringing at all! IoT is here for a reason, we need better security and smarter implementations.
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @12:23AM (3 children)
How about "surveillance camera" or "CCTV camera"?
(Score: 2) by c0lo on Wednesday July 19 2017, @02:05AM (1 child)
"Close circuit TV camera" and "accessible over open Internet", right?
You know it makes sense nowadays, that's actually a sign of the times.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @03:58AM
China Central Television
(Score: 3, Informative) by nishi.b on Wednesday July 19 2017, @08:37AM
In France there was a deliberate effort by politicians and manufacturers to change the name of these devices to something more cuddly.
They are supposed to be called "caméra de surveillance" (surveillance camera) but now they are referred to by politicians as "vidéoprotection" !
(Score: 2) by Snotnose on Wednesday July 19 2017, @01:07AM (5 children)
Nope, still no IoT things on my network. I'm good. I'll be good til the day I die and the kids buy something they think will help value my stuff.
I came. I saw. I forgot why I came.
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @01:46AM (3 children)
Bender: I'm a thing.
(Score: 2) by Snotnose on Wednesday July 19 2017, @02:50AM (2 children)
yeah, but your too smart to put yourself on a network with IoT whatever's attached.
I came. I saw. I forgot why I came.
(Score: 2) by mcgrew on Wednesday July 19 2017, @03:08PM (1 child)
You're, not your. You're spending too much of your time on Facebook, where nobody writes or spells well. Dew knot truss yore spill checker!
Carbon, The only element in the known universe to ever gain sentience
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @03:37PM
Only trust the uppitty human with nothing better to do!
(Score: 0) by Anonymous Coward on Wednesday July 19 2017, @02:57AM