Millions of internet-connected smart devices around the world may be vulnerable to hacking due to a newly-discovered security flaw in piece of software code that is widely-used across the internet-of-things (IoT) industry, security experts have warned.
Dubbed "Devil's Ivy" by researchers from cybersecurity company Senrio, the flaw can be exploited to completely hijack web-connected cameras. But the firm has warned that "millions" of other IoT products built upon the same open source code could also be at risk.
The team uncovered the problem while analysing a security camera made by Axis Communications. Experts found a critical vulnerability in the software toolkit gSoap (Simple Object Access Protocol), used by developers to enable internet connectivity.
In the case of the now-discontinued Axis IoT camera, using the bug would allow an attacker to remotely hack into its live video feed or lock out administrator access.
The manufacturer later confirmed that the bug was present in 249 distinct camera models but for the industry at large the problems didn't end there.
Researchers from Senrio eventually turned to gSoap's developer, called Genivia, which revealed that the flawed software had more than one million downloads in total. Customers using the code included IBM, Microsoft, Adobe, the cybersecurity firm found.
Senrio said software or device manufacturers relying on gSoap support will be affected by Devil's Ivy, but would not comment on the full amount of vulnerable products in the wild.
Genivia has released a patch which all gSoap users are advised to urgently install. Despite this, the fallout from the incident may be "difficult to entirely eliminate" because flaw is "nearly impossible to kill and spreads quickly through code reuse," the experts warned.
The revelation only adds to mounting scepticism about the security of IoT. A rush-to-market approach has resulted in lax standards, and the consequences of this can be severe.
This was evidenced by the outbreak of Mirai malware in September last year, which exploited weak security across the board to enslave Linux-based IoT products into a massive botnet and then launch distributed-denial-of-service (DDoS) cyberattacks against a slew of targets.
"The Internet of Things is ushering in an age of ambient computing," Senrio researchers warned in a blog post, published on Tuesday 18 July. "The more pervasive networked embedded devices become in our lives, the more important it is to ensure they are resilient against attack.
"Identifying vulnerabilities in such devices is one way to help make them more secure.
"Devil's Ivy was found while researching a security camera, but our research shows that a wide range of IoT devices have similar problems.
"We forget or don't realise that many of the devices we use every day are computers— from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of every day."