Devil's Ivy PR Campaign Exploiting Manufacturer Cybersecurity

Author: IPVM Team, Published on Jul 20, 2017

Manufacturers increasingly have a bulls-eye on their back.

As cyber security solutions providers grow, they realize a great way to get publicity for themselves is to maximize coverage of exploits they discover.

In this report, we provide a behind the scenes examination of how one PR / marketing campaign came together, examining whether it is fair or foul and looking at the risks for manufacturers.

Company Behind PR Campaign - Senrio

A cyber security startup, Senrio, who sells a network monitoring appliance that detects abnormal network activity, discovered a vulnerability in a toolkit used in many ONVIF implementations.

Exploiting Vulnerabilities For PR

Rather than simply releasing public notice, Senrio launched a PR campaign, 'partnering' with publications as their PR firm explained to us:

We're partnering with a few journalists, want to give the the opportunity write the story in-depth, but under embargo. By publishing this early, we run the risk of the news leaking without the full story given to those we've promised it.

The PR firm was concerned that our timely coverage (July 10th) of this issue would jeopardize their PR campaign despite the impacted developer, Genivia, already having given public notice.

Winning at PR

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Senrio and their PR firm made out great, with numerous publications covering Senrio:

The results speak for themselves. There is no doubt hiring a PR firm and coordinating publication results in far greater coverage.

Senrio Over-States Vulnerability

One key problem is that Senrio inflames the matter with its naming and framing of it.

Senrio gave the vulnerability the name "Devil's Ivy" claiming:

We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse.

However, this is very easy to "kill", the software patch was a few lines of code that can be copy/pasted into any source code using the gSOAP toolkit with no adverse effects (we verified this with gSOAP's creator).

Attempting to hype up the potential impact Senrio states:

It is likely that tens of millions of products -- software products and connected devices -- are affected by Devil’s Ivy to some degree.

Though the company gives no indication of exactly how they come to this conclusion, apparently extrapolating from Genivia's claim their toolkit has more than 1 million downloads, and includes some big-name customers (IBM, Adobe, Xerox).

In a video walkthrough of their exploit, Senrio states that they had to run a shell on port 33153:

For most cameras in the wild, this port (or others) are unlikely to be opened on the firewall, which would prevent a remote connection into the shell, unless the hackers also had access to the router/firewall, or UPnP was enabled (both plausible possibilities, though unlikely).

Moreover, Senrio obscures the fact that exploiting this requires sending a 2GB XML file to the device, which increases complexity, and makes a mass-attack much more resource consuming. In their "Technical Details" blog post, they state this as a hex value instead, with no reference to how large of an XML file it really is:

Many security cameras, and other IoT devices, do not have a need for a user to upload a 2GB file, and have restrictions in place to limit max file upload size as a general security best-practice. In speaking with surveillance camera manufacturers, IPVM found that some manufacturers used gSOAP, but were not vulnerable, due to how they handled or limited file uploads.

In Wired's coverage the security researcher behind the Metasploit penetration tester also picks up on this, noting the complexities of the "Devil's Ivy" vulnerability that make it less threatening than Senrio would have readers believe:

H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio's findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a "silly" amount of bandwidth.

Senrio Benefits From Vulnerabilities

Senrio's product increases in value when potential customers perceive an increase in risks on their LAN. If customers do not fear devices on their network being hacked, or behaving erratically, they will have little incentive to purchase Senrio's products. Thus, hyping up this discovery, and getting multiple media outlets to cover it, stands to benefit Senrio, and in that sense is an understandable approach, even if it diverges from the more traditional approaches taken to vulnerability disclosures.

Manufacturers Are Responsible

Manufacturers are clearly responsible for the cyber security of their products, whether or not companies are looking to take advantage of this for marketing / PR reasons.

Security Manufacturers Beware

Security manufacturers are going to be facing increasing pressure around cyber security. The hunt for vulnerabilities is now funded by startups, who are far more interested than independent researchers and curious hackers that are not so motivated by brand building.

With this discovery, and associated press campaign, Senrio has proven that cyber security vulnerability discoveries are moving beyond topics of interest only to hard-core geeks, on to items of wider interest.

Larger manufacturers, those with name recognition or major market share are the most likely targets, as discoveries in those products will attract more attention than those in off-brand consumer goods.

4 reports cite this report:

Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer on Mar 30, 2018
Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best...
Hanwha / Kaspersky Vulnerability Dispute Examined on Mar 29, 2018
IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin...
Top 2017 Trends - Cyber and Analytics on Nov 09, 2017
The 2 clear top 2017 trends, according to IPVM integrator statistics are: Cyber Security Video Analytics This is a change from 2016...
‘Experts' Fail On Dumbo IP Camera ‘Hack' on Aug 24, 2017
Dumbo, revealed by Wikileaks, has become big news. Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending...
Comments (5) : PRO Members only. Login. or Join.

Related Reports

Genetec Security Center 5.8 Tested on Mar 19, 2019
Genetec has released Version 5.8. This comes after a wait of more than a year that caused frustrations for many Genetec partners. Our previous...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
ONVIF Favorability Results 2019 on Mar 15, 2019
In the past decade, ONVIF has grown from a reaction to the outside Cisco-lead PSIA challenge, to being the de facto video surveillance standard...
Arcules Favorability Results 2019 on Mar 08, 2019
Arcules has amazing advantages. Tens of millions of funding from Canon. Unlimited access to Milestone's source code (see our test results). But...
Prysm PSIM Profile on Mar 05, 2019
A decade ago, PSIM promised significant potential but has always suffered from significant problems. Now, a number of PSIMs have either gone out of...
Salient CompleteView 20/20 VMS Tested on Feb 27, 2019
In IPVM's last test of Salient 3 years ago, we found various problems and deficiencies. Now, Salient says their new CompleteView 20/20 "unified...
Cisco Meraki Cloud VMS/Cameras Tested on Feb 13, 2019
Cisco Meraki says their cameras "bring Meraki magic to the enterprise video security world". According to Meraki, their magic is their management...
Solink Raises $12 Million - Company Profile on Feb 12, 2019
Most industry professionals have never heard of Solink, a company whose tagline is: It's time to revolutionize the way business uses...
Dahua Intercom Tested on Feb 07, 2019
Video intercoms are a growing market with video surveillance manufacturers expanding into this niche. IPVM is continuing its series of video...
8MP HD Analog Tested (Dahua / Hikvision) on Jan 30, 2019
HD analog has promised higher resolution for years, but has lagged substantially behind for years. Now, both Dahua and Hikvision have started...

Most Recent Industry Reports

Avigilon Launches 'Renewed Products Program' on Mar 19, 2019
There are lots of 'pre-owned' cars but pre-owned IP cameras? While such programs are common in other industries, in video surveillance, they are...
Hanwha Tax Evasion Probe, Camera Division Implicated on Mar 19, 2019
A Hanwha group subsidiary was raided as part of a tax evasion probe. While a Korean news media report listed the raided entity as 'Hanwha...
Genetec Security Center 5.8 Tested on Mar 19, 2019
Genetec has released Version 5.8. This comes after a wait of more than a year that caused frustrations for many Genetec partners. Our previous...
Retired Mercury President Returns As Open Options President on Mar 18, 2019
Open Options experienced major changes in 2018, including being acquired by ACRE and losing its President and General Manager, John Berman who...
Large US University End-User Video Surveillance Interview on Mar 18, 2019
Schools have become targets in modern days of active shooters and terrorist fears. The need for video and access security is high. Universities...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
ONVIF Favorability Results 2019 on Mar 15, 2019
In the past decade, ONVIF has grown from a reaction to the outside Cisco-lead PSIA challenge, to being the de facto video surveillance standard...
Installation Course - Last Chance on Mar 14, 2019
This is the last chance to register for the March Installation course. This is a unique installation course in a market where little practical...
City Physical Security Manager Interview on Mar 14, 2019
This physical security pro is the Physical Security Manager for the City of Calgary. He is a criminologist by training with an ASIS CPP credential....
US Drafting Separate Rule for NDAA Dahua/Hikvision 'Blacklist' on Mar 14, 2019
The most debated provision of the NDAA ban of Dahua, Hikvision, Huawei, et al. is the so-called 'blacklist' provision which would ban any company...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact