The Internet of Things isn't very secure. That shouldn't shock anyone at this point, and yet people keep buying smart-home and other internet-connected gadgets like there's no tomorrow.
Take, for example, the AXIS M3004-V Network Camera, a moderately priced Swedish commercial security camera with a fatal flaw that opens it up to ingenious hackers. The Axis has already been patched, but the flaw is endemic in open-source software that may affect thousands of similar cameras and other Internet of Things devices, most of which will never be fixed.
Senrio, a Portland, Oregon-based security firm, discovered the flaw and termed it "Devil's Ivy." Like the plant that bears its name, Devil's Ivy is ugly, invasive and dangerous. The flaw itself is not terribly interesting. By overflowing the amount of variables the Axis camera's software can parse, the researchers were able to force the camera to reset and then take full control of it.
If taken advantage of in the wild, this flaw could allow anyone sufficiently tech-savvy and dedicated to see whatever your security camera sees. It's unsavory and potentially dangerous, but at least Axis has issued a patch. That won't help the hundreds of other cheap security cameras that rely on similar software, though.
Axis runs on open-source software known as gSOAP (Simple Object Access Protocol), which also powers a number of other smart-home devices. Axis alone used the software in 249 varieties of camera, and the gSOAP software has been downloaded 30,000 times this year.
While Axis itself helps maintain the open-source database, it is by no means the only company to use it, or to make specialized versions to suit its own products. Cheap security camera manufactures don't have the best track record of patching their products, either.
"It is likely that tens of millions of products — software products and connected devices — are affected by Devil's Ivy to some degree," the Senrio researchers wrote.
Maybe; maybe not. Independent security researcher Brian Krebs believes that the flaw is dangerous, but perhaps not as dire as Senrio led its readers to believe.
"IPVM [a video-surveillance-industry publication] polled almost a dozen top security camera makers, and said only two (including Axis) responded that they used the vulnerable gSOAP libraries," Krebs pointed out.
In speaking with IPVM business analyst Brian Karas, Krebs also discovered that the flaw would not be easy to reproduce, since it requires a web interface for the camera, as well as 2 GB worth of uploaded malicious code.
That doesn't necessarily mean that cheap security cameras using gSOAP protocols are safe — just that it might be more trouble than it's worth to compromise them. On the other hand, security cameras costing less than $100 tend to be more vulnerable than the average smart-home device. Why add a security risk to your home if you don’t really need one?
If you own an Axis camera, it should be safe, at least provided that you've kept its firmware up to date. If you own a different cheap security camera, it could be very difficult to tell whether it runs on gSOAP programming, let alone whether it's secure.
As usual, we recommend that you buy your internet-connected home security camera from a large, reputable manufacturer. Despite their growing popularity, there's never been a scientific study on whether webcam-based home security cameras actually deter burglars — and, as we've seen, they might just invite hackers.