Earlier this year, the IoT-focused security firm Senrio discovered a hackable flaw called Devil’s Ivy, which has the potential to put thousands of different models of security cameras at risk. The vulnerability is found in a piece of open source code called gSOAP, created and maintained by a small company named Genivia. At least 30 companies use gSOAP in their IoT products.
The criticality of this hack is not yet known, but gSOAP code is used to implement a key protocol called Open Network Video Interface Forum, a networking language for security cameras and other devices used by the ONVIF Consortium. The consortium has nearly 500 members that include Canon, Cisco, D-Link, Hitachi, Huawei, Netgear, Siemens, Sony and Toshiba, among many others.
Security experts at Senrio believe that the hack leaves server-side devices like cameras and sensors open to attack — either disabling them or allowing the collection of images and video. Senrio experts also believe that client computers could be susceptible to hackers through the vulnerability.
While Genivia issued a patch to the code in June, it is unclear how many manufacturers that use the code have issued security-patched updates or notified their customers about the need to update their firmware.
Manufacturers selling enterprise clients and consumer mobile devices have patched security vulnerabilities found on operating systems and applications via a push model. Yet, no standardized system currently exists to administer such robust security for IoT manufacturers or customers. Hence, IoT platforms have become an easy, inexpensive and susceptible target of cyberattacks.
But customer negligence contributes as well. IoT cameras become even more prone to hacker attacks as users often dismiss the importance of changing the devices’ password.
Earlier this year, hackers exploited IP cameras used to keep track of pets and as CCTVs for home security. Hundreds of households in South Korea were victimized by these hackers, who took control of more than 1,400 digital cameras, exposing many peoples’ private moments. Some of the cameras were attached to live feeds. Others collected intimate moments, which were turned into videos and uploaded to pornography sites. In one testimonial, a victim recounted her attempt to prevent such violation by turning the camera lens toward a blank wall. When she returned to the premise, she was horrified to find her camera lens facing her direction, indicating that hackers were following her movement by manipulating the camera’s orientation.
Later investigations of the events discovered that users of the hacked cameras had not updated their passwords from the manufacturer’s default. This negligence enabled hackers to easily take control of the cameras.
For now, the customer must be the prime maintainer of IoT device security. Customers and enterprises should follow some basic guidelines when purchasing and operating IoT devices:
- Customers should ensure that the IoT devices they purchase can in fact be updated with the latest firmware.
- Prior to making a purchase, customers should ensure that the IoT device is produced by a manufacturer with a solid track record of issuing patches.
- Once an IoT device is acquired, the first step in securing it is to change the password.
- Once the password is changed, customers should investigate whether the company has issued any software updates.
- If software updates are available, customers should immediately download and install new firmware to their devices. Patches could have been issued in the months since the device was manufactured, purchased and shipped to distributors or retailers.
- Every month, customers should visit the IoT device manufacturer’s website to see if any additional software updates are available for download and installation.
IoT devices have the potential to deliver incredible breakthroughs in efficiency and entertainment, as well as enterprise and home security. However, until manufacturers create an effective push firmware update model and can effectively generate randomized passwords for each device, the customer must be hyper-vigilant.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.