Devil's Ivy PR Campaign Exploiting Manufacturer Cybersecurity

Author: IPVM Team, Published on Jul 20, 2017

Manufacturers increasingly have a bulls-eye on their back.

As cyber security solutions providers grow, they realize a great way to get publicity for themselves is to maximize coverage of exploits they discover.

In this report, we provide a behind the scenes examination of how one PR / marketing campaign came together, examining whether it is fair or foul and looking at the risks for manufacturers.

Company Behind PR Campaign - Senrio

A cyber security startup, Senrio, who sells a network monitoring appliance that detects abnormal network activity, discovered a vulnerability in a toolkit used in many ONVIF implementations.

Exploiting Vulnerabilities For PR

Rather than simply releasing public notice, Senrio launched a PR campaign, 'partnering' with publications as their PR firm explained to us:

We're partnering with a few journalists, want to give the the opportunity write the story in-depth, but under embargo. By publishing this early, we run the risk of the news leaking without the full story given to those we've promised it.

The PR firm was concerned that our timely coverage (July 10th) of this issue would jeopardize their PR campaign despite the impacted developer, Genivia, already having given public notice.

Winning at PR

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Senrio and their PR firm made out great, with numerous publications covering Senrio:

The results speak for themselves. There is no doubt hiring a PR firm and coordinating publication results in far greater coverage.

Senrio Over-States Vulnerability

One key problem is that Senrio inflames the matter with its naming and framing of it.

Senrio gave the vulnerability the name "Devil's Ivy" claiming:

We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse.

However, this is very easy to "kill", the software patch was a few lines of code that can be copy/pasted into any source code using the gSOAP toolkit with no adverse effects (we verified this with gSOAP's creator).

Attempting to hype up the potential impact Senrio states:

It is likely that tens of millions of products -- software products and connected devices -- are affected by Devil’s Ivy to some degree.

Though the company gives no indication of exactly how they come to this conclusion, apparently extrapolating from Genivia's claim their toolkit has more than 1 million downloads, and includes some big-name customers (IBM, Adobe, Xerox).

In a video walkthrough of their exploit, Senrio states that they had to run a shell on port 33153:

For most cameras in the wild, this port (or others) are unlikely to be opened on the firewall, which would prevent a remote connection into the shell, unless the hackers also had access to the router/firewall, or UPnP was enabled (both plausible possibilities, though unlikely).

Moreover, Senrio obscures the fact that exploiting this requires sending a 2GB XML file to the device, which increases complexity, and makes a mass-attack much more resource consuming. In their "Technical Details" blog post, they state this as a hex value instead, with no reference to how large of an XML file it really is:

Many security cameras, and other IoT devices, do not have a need for a user to upload a 2GB file, and have restrictions in place to limit max file upload size as a general security best-practice. In speaking with surveillance camera manufacturers, IPVM found that some manufacturers used gSOAP, but were not vulnerable, due to how they handled or limited file uploads.

In Wired's coverage the security researcher behind the Metasploit penetration tester also picks up on this, noting the complexities of the "Devil's Ivy" vulnerability that make it less threatening than Senrio would have readers believe:

H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio's findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a "silly" amount of bandwidth.

Senrio Benefits From Vulnerabilities

Senrio's product increases in value when potential customers perceive an increase in risks on their LAN. If customers do not fear devices on their network being hacked, or behaving erratically, they will have little incentive to purchase Senrio's products. Thus, hyping up this discovery, and getting multiple media outlets to cover it, stands to benefit Senrio, and in that sense is an understandable approach, even if it diverges from the more traditional approaches taken to vulnerability disclosures.

Manufacturers Are Responsible

Manufacturers are clearly responsible for the cyber security of their products, whether or not companies are looking to take advantage of this for marketing / PR reasons.

Security Manufacturers Beware

Security manufacturers are going to be facing increasing pressure around cyber security. The hunt for vulnerabilities is now funded by startups, who are far more interested than independent researchers and curious hackers that are not so motivated by brand building.

With this discovery, and associated press campaign, Senrio has proven that cyber security vulnerability discoveries are moving beyond topics of interest only to hard-core geeks, on to items of wider interest.

Larger manufacturers, those with name recognition or major market share are the most likely targets, as discoveries in those products will attract more attention than those in off-brand consumer goods.

4 reports cite this report:

Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer on Mar 30, 2018
Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best...
Hanwha / Kaspersky Vulnerability Dispute Examined on Mar 29, 2018
IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin...
Top 2017 Trends - Cyber and Analytics on Nov 09, 2017
The 2 clear top 2017 trends, according to IPVM integrator statistics are: Cyber Security Video Analytics This is a change from 2016...
‘Experts' Fail On Dumbo IP Camera ‘Hack' on Aug 24, 2017
Dumbo, revealed by Wikileaks, has become big news. Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending...
Comments (5) : PRO Members only. Login. or Join.

Related Reports

Winter 2019 IP Networking Course on Jan 10, 2019
Today is the last day to register for the Winter 2019 IP Networking course. This is the only networking course designed specifically for video...
H.265 / HEVC Codec Tutorial on Jan 08, 2019
H.265 support improved significantly in 2018, with H.265 camera/VMS compatibility increased compared to only a year ago, and most manufacturers...
Surveillance Codec Guide on Jan 03, 2019
Codecs are core to surveillance, with names like H.264, H.265, and MJPEG commonly cited. How do they work? Why should you use them? What issues may...
Camera Course January 2019 on Jan 03, 2019
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training exists...
ONVIF Profile T Examined on Dec 21, 2018
Despite ONVIF's overall success (11,000+ devices supported), ONVIF has been criticized for its limitations and problems, including VMD and video...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Dahua Lorex White Light Camera Tested on Dec 20, 2018
IP cameras with integrated white light LEDs are a growing trend, led by most notably Hikvision ColorVu. While the Hikvision models are not...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
8MP / 4K Fixed Lens Camera Shootout - Dahua, Hikvision, TVT, Uniview on Dec 17, 2018
8MP / 4K fixed lens models are now common in lower cost lines, with nearly every Chinese brand and their OEMs now offering multiple options. To...
Ubiquiti $79 Flex IP Camera Tested on Dec 07, 2018
U.S. Manufacturer Ubiquiti has released a 1080p, integrated IR IP camera, selling it directly for $79, making this one of the least expensive IP...

Most Recent Industry Reports

Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
UK Fines Security Firms For Illegal Direct Marketing on Jan 16, 2019
Two UK security firms have paid over $200,000 in fines for illegally making hundreds of thousands of calls to people registered on a government...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Gorilla Technology AI Provider, Raises $15 Million, Profiled on Jan 15, 2019
Gorilla Technology is a Taiwanese video analytics manufacturer that recently announced a $15 million investment from SBI Group, saying this...
2019 IP Networking Book Released on Jan 14, 2019
The new IP Networking Book 2019 is a 285 page in-depth guide that teaches you how IT and telecom technologies impact modern security...
Arecont Costar Layoffs on Jan 14, 2019
Arecont Vision, a Costar Company, has laid off more than 10% of their workforce in a move the company described to IPVM as a result of "important...
The False SCMP Story on Hikvision NYC AI on Jan 14, 2019
In the past week, one of Asia's largest publications, the South China Morning Post (SCMP), posted an article about "Chinese [facial recognition]...
WDR Tutorial on Jan 11, 2019
Understanding wide dynamic range (WDR) is critical to capturing high quality images in demanding conditions. However, with no real standards, any...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact