Devil's Ivy PR Campaign Exploiting Manufacturer Cybersecurity
Manufacturers increasingly have a bulls-eye on their back.
As cyber security solutions providers grow, they realize a great way to get publicity for themselves is to maximize coverage of exploits they discover.
In this report, we provide a behind the scenes examination of how one PR / marketing campaign came together, examining whether it is fair or foul and looking at the risks for manufacturers.
Company Behind PR Campaign - Senrio
A cyber security startup, Senrio, who sells a network monitoring appliance that detects abnormal network activity, discovered a vulnerability in a toolkit used in many ONVIF implementations.
Exploiting Vulnerabilities For PR
Rather than simply releasing public notice, Senrio launched a PR campaign, 'partnering' with publications as their PR firm explained to us:
We're partnering with a few journalists, want to give the the opportunity write the story in-depth, but under embargo. By publishing this early, we run the risk of the news leaking without the full story given to those we've promised it.
The PR firm was concerned that our timely coverage (July 10th) of this issue would jeopardize their PR campaign despite the impacted developer, Genivia, already having given public notice.
Winning at PR
Senrio and their PR firm made out great, with numerous publications covering Senrio:
- CNET: Millions of IoT devices are vulnerable to widespread bug
- Wired: HACK BRIEF: 'DEVIL'S IVY' VULNERABILITY COULD AFFLICT MILLIONS OF IOT DEVICES
- Tom's Guide: Serious Flaw Lets Strangers Hijack Your Security Cam
- SecurityWeek: Millions of IoT Devices Possibly Affected by 'Devil's Ivy' Flaw
- CSO: Buggy shared library exposes millions of IoT devices to ‘Devil’s Ivy’ flaw
- Krebs: Experts in Lather Over ‘gSOAP’ Security Flaw
- CRN: IoT Security Company Senrio: New Devil's Ivy Vulnerability Puts Millions Of Devices At Risk
The results speak for themselves. There is no doubt hiring a PR firm and coordinating publication results in far greater coverage.
Senrio Over-States Vulnerability
One key problem is that Senrio inflames the matter with its naming and framing of it.
Senrio gave the vulnerability the name "Devil's Ivy" claiming:
We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse.
However, this is very easy to "kill", the software patch was a few lines of code that can be copy/pasted into any source code using the gSOAP toolkit with no adverse effects (we verified this with gSOAP's creator).
Attempting to hype up the potential impact Senrio states:
It is likely that tens of millions of products -- software products and connected devices -- are affected by Devil’s Ivy to some degree.
Though the company gives no indication of exactly how they come to this conclusion, apparently extrapolating from Genivia's claim their toolkit has more than 1 million downloads, and includes some big-name customers (IBM, Adobe, Xerox).
In a video walkthrough of their exploit, Senrio states that they had to run a shell on port 33153:
For most cameras in the wild, this port (or others) are unlikely to be opened on the firewall, which would prevent a remote connection into the shell, unless the hackers also had access to the router/firewall, or UPnP was enabled (both plausible possibilities, though unlikely).
Moreover, Senrio obscures the fact that exploiting this requires sending a 2GB XML file to the device, which increases complexity, and makes a mass-attack much more resource consuming. In their "Technical Details" blog post, they state this as a hex value instead, with no reference to how large of an XML file it really is:
Many security cameras, and other IoT devices, do not have a need for a user to upload a 2GB file, and have restrictions in place to limit max file upload size as a general security best-practice. In speaking with surveillance camera manufacturers, IPVM found that some manufacturers used gSOAP, but were not vulnerable, due to how they handled or limited file uploads.
In Wired's coverage the security researcher behind the Metasploit penetration tester also picks up on this, noting the complexities of the "Devil's Ivy" vulnerability that make it less threatening than Senrio would have readers believe:
H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio's findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a "silly" amount of bandwidth.
Senrio Benefits From Vulnerabilities
Senrio's product increases in value when potential customers perceive an increase in risks on their LAN. If customers do not fear devices on their network being hacked, or behaving erratically, they will have little incentive to purchase Senrio's products. Thus, hyping up this discovery, and getting multiple media outlets to cover it, stands to benefit Senrio, and in that sense is an understandable approach, even if it diverges from the more traditional approaches taken to vulnerability disclosures.
Manufacturers Are Responsible
Manufacturers are clearly responsible for the cyber security of their products, whether or not companies are looking to take advantage of this for marketing / PR reasons.
Security Manufacturers Beware
Security manufacturers are going to be facing increasing pressure around cyber security. The hunt for vulnerabilities is now funded by startups, who are far more interested than independent researchers and curious hackers that are not so motivated by brand building.
With this discovery, and associated press campaign, Senrio has proven that cyber security vulnerability discoveries are moving beyond topics of interest only to hard-core geeks, on to items of wider interest.
Larger manufacturers, those with name recognition or major market share are the most likely targets, as discoveries in those products will attract more attention than those in off-brand consumer goods.