Devil’s Ivy Likely Widespread

A recently discovered vulnerability labeled “Devil’s Ivy” is expected to impact millions of cameras that support the ONVIF protocol.

The initial exploit was discovered on an Axis Camera and then found on 249 different Axis camera models – but the problem goes well beyond Axis Cameras.  The code vulnerability is in gSOAP, which is widely used by ONVIF members to implement ONVIF on cameras.  The ONVIF consortium includes nearly 500 members and includes companies such as Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Netgear, Panasonic, Sharp, Siemens, Sony, and Toshiba.

In a phone call with WIRED, Genivia founder and gSOAP creator Robert van Engelen said 34 ONVIF companies used gSOAP as paying customers, but declined to say which ones. WIRED reached out last Friday to the 15 major companies on ONVIF’s member list named above to ask if they released specific patches for their gadgets – most did not respond or declined to comment.

What is most devastating about this venerability is how widespread it is because it is in libraries that are widely used across millions of cameras.  Updating those cameras likely affected is a gargantuan project.

This is a clear example of why segmenting your network or utilizing technology like Eagle Eye Camera Cyber Lockdown is critical. Eagle Eye Camera Cyber Lockdown isolates the cameras from other networks so that they cannot be maliciously attacked nor utilized if they contain a trojan or other malware.  We do not expect that many manufacturers are equipped or organized to do a quick firmware release across all their camera models to patch this vulnerability.

You can read the WIRED article regarding the Devil’s Ivy vulnerability here:
https://www.wired.com/story/devils-ivy-iot-vulnerability/