New IoT vulnerability could affect millions of devices

iStock credit: Matej Moderc

The M3004 Axis Communications security camera is vulnerable to cyber attacks and many other Internet of Things (IoT) devices may be susceptible, security experts have indicated.

Cybersecurity specialists Senrio found a stack buffer overflow vulnerability they entitled Devil’s Ivy, which allows attackers to remotely access a video feed or deny an owner the chance to watch media. As these cameras are typically used for security purposes, it could give criminals access to sensitive information.

In its blog, Senrio decided to call the issue Devil’s Ivy because of how it spreads through code reuse. Due to its source existing in a third-party toolkit, it can be downloaded millions of times and spread easily, so a high number of devices could be impacted.

The experts spoke to Axis and found that the issue is present in 249 camera models. The manufacturer then released patched firmware and prompted partners and customers to upgrade.

“The Internet of Things is ushering in an age of ambient computing. The more pervasive networked embedded devices become in our lives, the more important it is to ensure they are resilient against attack. 

“Identifying vulnerabilities in such devices is one way to help make them more secure.  Devil’s Ivy was found while researching a security camera, but our research shows that a wide range of IoT devices have similar problems,” the blog post read.

The post explained that where cost, efficiency and interoperability are concerned, it is vital to remember that “code reuse is vulnerability reuse” and leaves devices open to cyber attacks.

As well as this, the Devil’s Ivy issues underline concerns with the security of the IoT, with many people forgetting that a lot of devices are just as vulnerable to hackers as computers.

IoT devices have become popular purchases for consumers, with fitness bands, smartwatches and smart home devices, such as the Amazon Echo, continuing to attract buyers. 

However, it is clear that more knowledge of cyber threats is required in order for businesses and consumers to protect their data.