Millions of IoT devices hit by 'Devil's Ivy' bug in open source code
Millions of IoT devices hit by 'Devil's Ivy' bug in open source code
Posted: 21 Jul 2017
A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack.
Researchers at IoT security firm Senrio discovered the Devil's Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications. The bug occurs when sending a large XML file to a vulnerable system's web server.
We have 3 Foscam cameras (1 in our 4-year-old's bedroom, her playroom, and one in the basement where we keep our dogs). Initially, I had them set up so that they were directly accessible on the net (I was using an app called Babycam Monitor to access it). I quickly learned of the vulnerabilities and decided to close the cameras. I disabled UPnP and disabled port forwarding on my router (Ubiquiti UniFi USG-Pro). Now I can only access them via connection to my OpenVPN server. The OpenVPN server is the only port open.
I have a ton of IoT devices, which I've separated into VLAN's. Nokia WiFi scale, Chamberlain garage door openers, Samsung washer/dryer, Amazon Dash buttons, Alexa devices, etc. It makes my life much easier, but I'm aware of the risks. I try to keep them as up-to-date as possible and try to keep them from connecting to my main network.
This is just a risk I take in order to make my life more convenient. Sooner or later I'm sure I will be hit despite all the security measures I've taken.
"Allowed"? Who exactly is the arbiter of what can and cannot be placed on the internet?
The same ones who came down hard on the child who was selling lemonade, to protect the child and deter others from taking on such risks. The same ones who issue licenses and certifications to businesses to ensure consumers at the least have an appearance of protection.
Regarding IoT, there is no appearance of protection. Someone like ericnxmd can protect himself to some degree. The rest of us require the governance to protect us.