back to article 'Millions of IoT gizmos' wide open to hijackers after devs drop gSOAP

Security researchers investigating internet-connected video cameras have uncovered a bug that could conceivably leave millions of devices open to easy pwnage. The team from embedded security specialists Senrio was looking into the code running an M3004-V network camera from Axis Communication. They found a serious hole in the …

  1. Ogi
    Facepalm

    Of course it won't happen anytime soon

    I mean, why would vendors patch old hardware?

    On one hand, they can spend time and money updating old firmware, then somehow sending the firmware out to owners, with instructions on how to update (and handle all the support calls), for no extra income, or..

    They can just not care, state that the old hardware is "deprecated", and that the "fix" is to buy their latest shiny.

    The second option is more profitable for them, precisely because there is no way of forcing them to fix old hardware. If you think about it, other industries have recalls, especially if a big problem is found, and companies are forced to do this, usually by whoever regulates their industry.

    Software has no such regulator, so they can pretty much just wash their hands of the problem. If it causes the end user too much bother they should "upgrade" then.

    Not sure what the best way of handling this is. On one hand, having millions of vulnerable IoT devices are just a botnet in waiting really. On the other hand, banning the devices from use or forcing companies to issue security patches both seem unlikely to happen and regulators could stifle what is a rather dynamic industry (for better or for worse).

    My favorite solution is to just not have IoT devices unless absolutely necessary (and admittedly CCTV is one place where it is useful), however there seems to be a drive to shove a computer into every single thing possible, from children's toys to cars, and even lampposts, buildings and roads.

    The world looks more and more like a cyberpunk dystopia as time goes on...

    1. Kevin McMurtrie Silver badge

      Re: Of course it won't happen anytime soon

      I own a couple of Axis cameras and they've been very good about maintaining the software. The camera is actually gaining performance and features as it ages.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course it won't happen anytime soon

        We've deployed a few thousand Axis cameras for over 10 years and while it's way more expensive than anything emanating from China they've been robust and the customer service has been excellent.

        That 3004-V camera mentioned in article is maybe a 5-year-old model but it's still supported until 2021 according to Axis website.

        If your CCTV system is truly separated from all other networks then those Dahua's and other cheapos are perfectly fine image quality wise even if the UIs and documentation are sometimes severely lacking.

    2. Mad Mike

      Re: Of course it won't happen anytime soon

      Perhaps the answer is to make it worth their while?

      Why should software not be treated like any other product? Software is almost thought of as something that will have bugs and errors, and it's just what you get. Nobody has any expectation that software will work, be stable and secure. If I sold you a car and it had faults, I would be expected to fix them and potentially be liable for issues that arise from them, in theory up to and including corporate manslaughter. If I was aware of a fault and did nothing about it and someone got killed as a result, I could be held liable. Now, in reality, this very, very rarely happens.

      But, why should people supplying software not have a duty put upon them to take reasonable care in its creation and then to act promptly if they find issues later? So, for instance, if IoT devices got hacked and streaming video of people naked etc. went on the internet, why should the companies not be sued if they haven't issued a fix? After all, one could argue it's their incompetence/attitude that has caused the issue?

      It would certainly make companies take writing and maintaining software somewhat more careful at the very minimum.

      1. Charles 9 Silver badge

        Re: Of course it won't happen anytime soon

        Simple. A car can kill someone. DIRECTLY, as in run them over. Until common IoT things cam directly kill someone, legislatures won't jump in.

      2. Chris G Silver badge

        Re: Of course it won't happen anytime soon

        I would be interested to hear from a legal point of view whether or not 'duty of care' could apply to IoT software, where it may affect somebody' s safety or wellbeing. Wellbeing is a fairly open phrase and the hacking or failure of software could lead to injury or ill health.

    3. Blotto Silver badge

      Re: Of course it won't happen anytime soon

      the answer is to secure the network the cameras reside on, ensuring the devices never receive the crafted messages that will pawn them.

      if your not doing that already then simply sniffing the traffic over port 80 will get you the login and other details anyway.

      This would be much more of an issue with IPv6 with all those internal hosts directly addressable on the net without default NAT provided by the current limitations of IPv4.

      1. hmv

        Re: Of course it won't happen anytime soon

        <quote>the answer is to secure the network the cameras reside on</quote>

        No, that's a work-around and not suitable for environments where the attack comes from the inside.

        And IPv6 is relevant only if you have a badly configured firewall and a less than half-competent firewall administrator.

  2. Anonymous Coward
    Windows

    Maybe I'm growing into a grumpy cynic but...

    Wouldn't it be news if there was an IoT type device out there which didn't have any 'sploits?

    1. Halfmad

      Re: Maybe I'm growing into a grumpy cynic but...

      That'd be like finding a needle in a haystack..

    2. DropBear

      Re: Maybe I'm growing into a grumpy cynic but...

      The same question that the "cursed" old hag promising to turn back into a gorgeous princess after a round of sex asked the young prince needs to be asked here: "Just how old are you, lad? ...and you still believe in fairy tales?!?" There is no such thing as bug-free or perfectly secure software, and there cannot be any, by definition, as long as we create code the way we do now. We can (and should) keep fixing what we can, but we should at all times keep in mind that by doing it we fundamentally change _absolutely nothing_ about the status quo - nothing will become "fixed" by the act except for that specific vulnerability we just patched. Come on, say it. "Still buggy. Still pwnable."

      1. Charles 9 Silver badge

        Re: Maybe I'm growing into a grumpy cynic but...

        Oh? What about formally proven software?

    3. ecofeco Silver badge

      Re: Maybe I'm growing into a grumpy cynic but...

      https://techcrunch.com/2016/10/01/learned-helplessness-and-the-languages-of-dao/

      1. Charles 9 Silver badge

        Re: Maybe I'm growing into a grumpy cynic but...

        Sounds all nice until the real world butts in. You know the old saying, "Good, Quick, Cheap. Pick any TWO." Problem is, the bean counters and higher-ups usually call dibs on the Cheap and Quick, figuring paying for the occasional flub is less than doing it Good. Leaving you kinda backed into a corner.

  3. Anonymous Coward
    Anonymous Coward

    Our only hope now is a white-hat worm which goes around bricking IoS devices, to neutralize them off the internet.

    1. Anonymous Coward
      Holmes

      Our only hope is that millions of consumers responsibly send all that cheap plastic crap to the recycle bin as quickly as possible.

  4. Adrian 4 Silver badge

    Exploits are limited to IoT devices now ?

    How about criticising faulty computers, rather than a somewhat small class of computing devices.

    1. Dan 55 Silver badge

      Computers tend to get updates eventually, IoT tend not to.

      What we now have is a whole set of devices which can be owned and there's nothing anyone can do about it apart from throw them in the bin.

      That is why it is newsworthy.

      1. Anonymous Coward
        Anonymous Coward

        "Computers tend to get updates eventually"

        Well gosh darned... I have yet to see any pirated Windows (that entire countries run on in some parts of the world... allegedly) ever get any "updates". Just sayin'.

        1. Dan 55 Silver badge
          Pirate

          That's probably because they're not doing it right.

    2. Anonymous Coward
      Holmes

      @Adrian - somewhat small class of TENS OF MILLIONS OF computing devices

      FIFY

  5. the Jim bloke Silver badge

    Requires an incentive

    While anything that increases big brothers ability to interfere with citizens lives is bad, this appears to call for some legal enforcement.

    Something similar to existing consumer protection laws, Device must be fit for purpose and free of defects.. Applying this to Internet of Tat (dont call it 'shit', cause S can be for security)

    Any internet connected device determined to have a software vulnerability to be patched, or purchase price refunded by the retailer. Sunset clause based on reasonable life expectancy of device.

    This will punish retailers for flogging such rubbish, and eventually the reputable ones will start putting pressure on suppliers to improve quality. As has been said countless times here, you cant rely on the end-users.

    Still wont stop fly-by-night / back of van vendors, but if you buy from those, you deserve what you get.

    1. Graham Cobb Silver badge

      Re: Requires an incentive

      Unfortunately that won't work. It places the incentive on the wrong people.

      The people that have to be incentivised are the owners. If I own a crappy IoT device (I may not even know it is one: think teddy bears) I need an incentive to upgrade or replace it if it can be hacked. Even if a refund is available, I guess less than 1% of people will bother if it is "working" for them.

      1. Dan 55 Silver badge

        Re: Requires an incentive

        You've just shown how incentivising the owners doesn't work.

        Retailers are the gateway into a market, that's where the pressure should be applied if the manufacturer itself has no presence there.

        1. Charles 9 Silver badge

          Re: Requires an incentive

          And if the retailer has no physical presence, either, because it's an E-tailer stationed out of the country?

          Of if it's a gray market where the devices are obtained straight from a manufacturer website again out of the country?

          1. Dan 55 Silver badge

            Re: Requires an incentive

            If you stop all bricks and mortar retailers, all web retailers based in the country, Amazon, and eBay, you've basically stopped the problem. There are a few that can still get through, but that doesn't mean that the effort was in vain.

            1. Charles 9 Silver badge

              Re: Requires an incentive

              But then, how do you stop Amazon and eBay. If you try to push them, they could push back and tick off lots of customers (and by extension, constituents), causing them to complain to their governments for being heavy-handed.

              1. Dan 55 Silver badge

                Re: Requires an incentive

                The same way you stop them listing and selling other banned goods. They have to follow the law.

                1. Charles 9 Silver badge

                  Re: Requires an incentive

                  What law? If they're extraterritorial, they're not subject to your laws.

  6. Anonymous Coward
    Anonymous Coward

    Cutting corners ...

    Security and quality should have be designed into a project from day one. There should be testing of every execution path and a fresh set of eyes review the code line by line looking for potential problems.

    But you can cut man hours in half or more ignoring all that and just releasing garbage with known bugs and vulnerabilities as release code.

    1. kain preacher

      Re: Cutting corners ...

      you are assume they care. We have seen it time after time. Iot is about making a quick buck.

    2. DropBear

      Re: Cutting corners ...

      Pray tell, what sort of so far unheard-of Herculean-level effort you reckon would achieve that in this case, where the fault was buried in a widely-used third party component that no manufacturer in their right mind would ever consider or could ever be forced to audit? That, and what exactly are you smoking?

  7. Anonymous South African Coward Silver badge

    Yay for more vulnerabilites! Viva the Emperor, Viva!!

  8. Gordon Pryra

    Is it possible to get a list of the IoT "Shower Heads" out there?

    Just for research purposes obviously....

  9. John Smith 19 Gold badge
    FAIL

    But note. Root cause --> FOSS library with insufficient testing and/or bug searching.

    Open source is a necessary condition to finding bugs.

    It is not a sufficient condition for there being no bugs to find.

    Actually looking at the f**king code (or running it through some of the available testing tools before release) would be a good idea.

    Hint. If it compiles with a bunch of warnings and you released anyway, that's on you.

    You can bet that's just burned some part of several TLA's zero day exploits.

  10. David Roberts

    SOAP

    I didn't read in the report that these versions of the SOAP libraries were used ONLY in IoT devices.

    It would be good to have a list of all the software which relies on the libraries.

    Granted that IoT is one of the areas least likely to patch. Given that the pricing does not seem to allow for ongoing software maintenance. Much like the Android mobile phone and tablet market, amongst others.

    Disclosure: posting from a Sony Xperia Z tablet which still seems to be going strong but hasn't had an OS update for years.

    It would be nice if people who want bug fixes and software upgrades could subscribe to a support agreement. Which should of course reflect the true cost of support. Then anyone whinging that their 10 year old OS isn't being patched for free would have one less leg to stand on.

    1. Graham Cobb Silver badge

      Re: SOAP

      It would be good to have a list of all the software which relies on the libraries.

      Fortunately it seems to be less than I feared. I note that the package is not installed on my systems (Debian workstations) and a quick apt-cache rdepends libgsoap10 doesn't show any well-known things using it. So it may be that the IoT devices are the biggest vulnerabilities.

  11. ecofeco Silver badge

    Over before it began

    So IdioT is over before it really began.

    That was quick.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022