By Rob Medley
Linux is becoming a larger target for malicious actors these days. If you’re unfamiliar with Linux, it’s a different flavor of operating system, like Windows or MacOS. Don’t think you own anything that runs Linux? Think again. The odds are heavily in favor of you owning a gadget that is connected to the web, otherwise known as the Internet of Things (IoT). Gadgets, like Amazon’s Echo, security cameras, Internet-enabled dimmable lights, and so on, all comprise the IoT.
While the Echo and other high-end gadgets may be less vulnerable to attack, the bargain hunter in us is driving the purchase of cheaper items, those that may do the same thing as the Echo, from places like China. As manufacturers tend to care more about shipping product than the security of the product itself, cheaper does not equal better. Dozens of manufacturers use the same Linux code or stripped down operating systems to make their gadgets work well enough to get it to market. After the fact security support is often left to the user or a poorly manned customer service center.
Devil’s Ivy, the name of an exploitable software flaw discovered by the research company Senrio, is endemic to a Simple Object Access Protocol (SOAP) that allows a gadget to communicate with the network. Companies that use the code in their product are part of the ONVIF consortium, a “forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products,” per the ONVIF website. Who are the members? Canon, TP-Link, BAE, Cisco, D-Link, Honeywell, JVC, Mitsubishi, Panasonic, & Samsung are all prominent names on the list of members. As a caveat to prevent a lawsuit, I must add that these companies may provide excellent support and timely security patches; but your TV and security cameras are part of the IoT and, well, you know.
Senrio estimates that the range of vulnerable devices is in the tens of millions, based on the statistics provided by SourceForge indicating that the SOAP development code has been downloaded just under 38,000 times in 2017 alone. Therefore, the odds of having a vulnerable device in your business or home are extremely good.
So, what can you do? Take an inventory of web-connected devices in your home or business (if you haven’t already), then look on each manufacturers support website to see if there is an update available. If an update doesn’t yet exist, you must weigh the risk of running the device on your network, and its impact on other computer resources, should malware use it as a pivot point to attack other nodes behind your firewall. The safer option is to either put your IoT devices on their own subnet (for the technical types) or not use the device until a patch is made available. Now that your attention is on your network, it may also be a good time to enable (sigh) or change those router passwords, as well as update all your operating systems and programs.
Sources:
http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
Home
https://sourceforge.net/projects/gsoap2/files/stats/timeline?dates=2017-01-01+to+2017-07-12
Rob Medley 