According to recent news reports, millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them. The vulnerability, named Devil’s Ivy, was identified by researchers who singled out high-end security cameras manufactured by Axis Communications. The researchers at Senrio said that 249 models of 251 Axis cameras are vulnerable to Devil’s Ivy. IT security experts from Synopsys commented below.
Chris Schmidt, Senior Manager – Research at Synopsys:
“This problem stems from a paradigm shift in how software is written. Engineers often go out of their way to select a library from a catalogue of hundreds of possibilities which most closely match the capabilities they desire with the smallest possible footprint. More often than not, this results in the use of immature code which compounds when applications inherit the risks, bugs, and flaws that exist across all those purpose-built libraries they’ve imported to support the capabilities they require for the application.
“The rate at which new libraries are created and posted online exceeds our ability to provide adequate review of them, and adoption of the latest technology can happen in hours based on word-of-mouth from social networks like Twitter.
“Sites like StackOverflow provide a fertile breeding ground for insecure code, owing to the number of inexperienced, but well-meaning engineers sharing code solutions to specific problems online; forums that are generally closed to people outside of specific industries, types of applications, languages, or frameworks breed pervasive vulnerabilities due to the lack of visibility outside of a specific group of users.
“Organisations can help temper the wildfire of these types of pervasive security issues by enforcing policies that require verification and independent review of third-party code before it’s used; however this generally doesn’t scale and severely limits the ability of engineers to innovate at a competitive speed.”
Mike Ahmadi, Global Director of Critical Systems Security at Synopsys:
“We have managed to work our way into a hole, and it is going to get a lot worse before it gets better. The still prevalent lack of vulnerability identification and weak authentication by device manufacturers means that we potentially face decades of problems. I hate to paint a grim picture, but hopefully it will cause organisations to dedicate more resources towards proactively addressing these issues.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.