The vulnerability -- called Devil's Ivy or CVE-2017-9765 -- which was made public recently by Senrio, a company that specializes in IoT security. It initially found the bug in the M3004 model security camera marketed by Axis Communications, but further research found that 249 of Axis's 251 surveillance camera models are affected. The problem isn't with code that's native to Axis products but is in gSOAP, an open source web services library that is used by many developers. According to the market analysis that 34 companies use gSOAP -- a list which includes big shots like Microsoft, IBM, Xerox, and Adobe. As per report, third-party toolkit (gSOAP) was downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.
Billions of IoT devices are vulnerable to cybersecurity attacks due to a vulnerability initially discovered in remote security cameras. The vulnerability is technically a stack buffer overflow bug in gSOAP, and it was found in a connected security camera made by Axis Communications. Devil's Ivy performs a remote code execution which allows an attacker to take down the server or sends a message to the client as the client will think it is legitimate because they receiving from the server, to remotely access the video feed from the camera, to reboot the device, to shut it down, to reset the device to its factory defaults, etc.
At present, Security researchers recommend keeping physical devices off of the public internet, defending IoT initiatives, and patching when possible
Authored By - Varun Bagaria
TCS Cyber Security Practice