Devil's Ivy vulnerability poisoning millions of IoT devices
Recent news reports have revealed that millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them. The vulnerability, named Devil’s Ivy, was identified by researchers who singled out high-end security cameras manufactured by Axis Communications. The researchers at Senrio said that 249 models of 251 Axis cameras are vulnerable to Devil's Ivy.
Chris Schmidt, Senior Manager, Research at Synopsys, said: "Pervasive vulnerabilities in third-party libraries are a well understood problem and highlights something that we, as a community of both security experts and software engineers, need to work together to resolve. Software will continue to depend more and more on code re-use and third-party libraries and frameworks.
"This problem stems from a paradigm shift in how software is written. Engineers often go out of their way to select a library from a catalogue of hundreds of possibilities which most closely match the capabilities they desire with the smallest possible footprint. More often than not, this results in the use of immature code which compounds when applications inherit the risks, bugs, and flaws that exist across all those purpose-built libraries they’ve imported to support the capabilities they require for the application.
"The rate at which new libraries are created and posted online exceeds our ability to provide adequate review of them, and adoption of the latest technology can happen in hours based on word-of-mouth from social networks like Twitter.
"Sites like StackOverflow provide a fertile breeding ground for insecure code, owing to the number of inexperienced, but well-meaning engineers sharing code solutions to specific problems online; forums that are generally closed to people outside of specific industries, types of applications, languages, or frameworks breed pervasive vulnerabilities due to the lack of visibility outside of a specific group of users.
"Organisations can help temper the wildfire of these types of pervasive security issues by enforcing policies that require verification and independent review of third-party code before it’s used; however this generally doesn’t scale and severely limits the ability of engineers to innovate at a competitive speed."
Mike Ahmadi, Global Director of critical systems security at Synopsys, added: "We are now bearing witness to a world where mass produced IoT devices lack any reasonable programme for vulnerability identification and management. This, coupled with weak authentication, means that many of these devices are just waiting for their turn to become victims of the hack of the week club.
"We have managed to work our way into a hole, and it is going to get a lot worse before it gets better. The still prevalent lack of vulnerability identification and weak authentication by device manufacturers means that we potentially face decades of problems. I hate to paint a grim picture, but hopefully it will cause organisations to dedicate more resources towards proactively addressing these issues."