Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does the Devil's Ivy bug compromise security cameras?

The Devil's Ivy bug affects millions of internet-connected security cameras. Expert Judith Myerson explains how the exploit works and what can be done to prevent it.

In 2017, researchers discovered a flaw called Devil's Ivy that affected millions of internet-of-things devices....

What is the Devil's Ivy bug and how can enterprises defend against it?

The Devil's Ivy bug is a vulnerability that enables hackers to operate as the root user on the targeted device.

The flaw is in the gSOAP library, a third-party toolkit that provides automated SOAP and XML data binding for C and C++. Researchers at the internet of things (IoT) security startup Senrio found the flaw in a commercial indoor security camera made by the Swedish company Axis Communications AB.

To demonstrate the flaw, the researchers hijacked an Axis model M3004 camera mounted in the home of a co-worker. During the demonstration, which the team filmed, every movement the adviser made was observed from about 3,000 miles away.

The security camera exploit is possible because of a stack-based buffer overflow vulnerability that the Senrio researchers dubbed the Devil's Ivy bug. A programming-savvy hacker could take advantage of this overflow to access the video feed of a sensitive location, such as a bank lobby. It could also potentially view a crime in progress and prevent the video from recording the crime.

The video provided in Senrio's technical advisory shows how the researchers found the Devil's Ivy bug. The vulnerability was lurking in the deep communication layers of gSOAP.

Using Nmap as a port scanner, the researchers found that port 3702, which used the Web Services Dynamic Discovery protocol (WS-Discovery), was open. The process uses WS-Discovery to load the vulnerable code from the gSOAP library to parse incoming SOAP messages.

As the unprivileged user, the researchers gained access to a shell. They then found the permissions settings in a text file on the camera. Next, they removed restrictions that prevented unprivileged users from using the reset command.

After giving the camera several minutes to process the malicious changes, the researchers were able to reset the device, which was rebooted to its factory defaults. The researchers were then prompted for a new password, giving them full remote control of the device.

To fix the Devil's Ivy bug, Axis Communications released firmware patches for around 250 of its camera models. Axis' customers include most of the top Fortune 500 companies.

In addition, Axis Communications and Genivia, the developer of gSOAP, both recommend placing the cameras and IoT devices behind a firewall that properly closes vulnerable ports.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in February 2018

Dig Deeper on IoT security issues

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Are you worried about bugs like Devil's Ivy compromising your home security camera? Why or why not?
I am rather curious as to how the researchers hijacked the camera in question. It suggests to me that the camera, as an IOT device, was connected to a non-secured network. My presumption is that if the network had been secured, with port 3702 closed, no port scanner would have found anything. Plus, the port scanner had to have physical access to the network, either wired or wirelessly. Where is the network security? Best practice mandates closing all ports unless they’re required and authenticating all devices on the network. I have no doubt that many IOT devices have security holes in them, RWHAT-based medical devices come to mind. That is why real network security is imperative.