Devil's Ivy PR Campaign Exploiting Manufacturer Cybersecurity

Author: IPVM Team, Published on Jul 20, 2017

Manufacturers increasingly have a bulls-eye on their back.

As cyber security solutions providers grow, they realize a great way to get publicity for themselves is to maximize coverage of exploits they discover.

In this report, we provide a behind the scenes examination of how one PR / marketing campaign came together, examining whether it is fair or foul and looking at the risks for manufacturers.

Company Behind PR Campaign - Senrio

A cyber security startup, Senrio, who sells a network monitoring appliance that detects abnormal network activity, discovered a vulnerability in a toolkit used in many ONVIF implementations.

Exploiting Vulnerabilities For PR

Rather than simply releasing public notice, Senrio launched a PR campaign, 'partnering' with publications as their PR firm explained to us:

We're partnering with a few journalists, want to give the the opportunity write the story in-depth, but under embargo. By publishing this early, we run the risk of the news leaking without the full story given to those we've promised it.

The PR firm was concerned that our timely coverage (July 10th) of this issue would jeopardize their PR campaign despite the impacted developer, Genivia, already having given public notice.

Winning at PR

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Senrio and their PR firm made out great, with numerous publications covering Senrio:

The results speak for themselves. There is no doubt hiring a PR firm and coordinating publication results in far greater coverage.

Senrio Over-States Vulnerability

One key problem is that Senrio inflames the matter with its naming and framing of it.

Senrio gave the vulnerability the name "Devil's Ivy" claiming:

We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse.

However, this is very easy to "kill", the software patch was a few lines of code that can be copy/pasted into any source code using the gSOAP toolkit with no adverse effects (we verified this with gSOAP's creator).

Attempting to hype up the potential impact Senrio states:

It is likely that tens of millions of products -- software products and connected devices -- are affected by Devil’s Ivy to some degree.

Though the company gives no indication of exactly how they come to this conclusion, apparently extrapolating from Genivia's claim their toolkit has more than 1 million downloads, and includes some big-name customers (IBM, Adobe, Xerox).

In a video walkthrough of their exploit, Senrio states that they had to run a shell on port 33153:

For most cameras in the wild, this port (or others) are unlikely to be opened on the firewall, which would prevent a remote connection into the shell, unless the hackers also had access to the router/firewall, or UPnP was enabled (both plausible possibilities, though unlikely).

Moreover, Senrio obscures the fact that exploiting this requires sending a 2GB XML file to the device, which increases complexity, and makes a mass-attack much more resource consuming. In their "Technical Details" blog post, they state this as a hex value instead, with no reference to how large of an XML file it really is:

Many security cameras, and other IoT devices, do not have a need for a user to upload a 2GB file, and have restrictions in place to limit max file upload size as a general security best-practice. In speaking with surveillance camera manufacturers, IPVM found that some manufacturers used gSOAP, but were not vulnerable, due to how they handled or limited file uploads.

In Wired's coverage the security researcher behind the Metasploit penetration tester also picks up on this, noting the complexities of the "Devil's Ivy" vulnerability that make it less threatening than Senrio would have readers believe:

H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio's findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a "silly" amount of bandwidth.

Senrio Benefits From Vulnerabilities

Senrio's product increases in value when potential customers perceive an increase in risks on their LAN. If customers do not fear devices on their network being hacked, or behaving erratically, they will have little incentive to purchase Senrio's products. Thus, hyping up this discovery, and getting multiple media outlets to cover it, stands to benefit Senrio, and in that sense is an understandable approach, even if it diverges from the more traditional approaches taken to vulnerability disclosures.

Manufacturers Are Responsible

Manufacturers are clearly responsible for the cyber security of their products, whether or not companies are looking to take advantage of this for marketing / PR reasons.

Security Manufacturers Beware

Security manufacturers are going to be facing increasing pressure around cyber security. The hunt for vulnerabilities is now funded by startups, who are far more interested than independent researchers and curious hackers that are not so motivated by brand building.

With this discovery, and associated press campaign, Senrio has proven that cyber security vulnerability discoveries are moving beyond topics of interest only to hard-core geeks, on to items of wider interest.

Larger manufacturers, those with name recognition or major market share are the most likely targets, as discoveries in those products will attract more attention than those in off-brand consumer goods.

4 reports cite this report:

Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer on Mar 30, 2018
Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best...
Hanwha / Kaspersky Vulnerability Dispute Examined on Mar 29, 2018
IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin...
Top 2017 Trends - Cyber and Analytics on Nov 09, 2017
The 2 clear top 2017 trends, according to IPVM integrator statistics are: Cyber Security Video Analytics This is a change from 2016...
‘Experts' Fail On Dumbo IP Camera ‘Hack' on Aug 24, 2017
Dumbo, revealed by Wikileaks, has become big news. Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending...
Comments (5) : PRO Members only. Login. or Join.

Related Reports

Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
4MP Camera Shootout - Axis, Dahua, DW, Hanwha, Hikvision, Uniview, Vivotek on Sep 24, 2018
4MP usage continues to climb, especially for low cost fixed lens models. To see who was best, we bought and tested seven 4MP models from Axis,...
October 2018 Camera Course on Sep 13, 2018
Today is the last day to save $50 on the October 2018 Camera Course, register now. This is the only independent surveillance camera course,...
Directory Of 110+ Video Management Software (VMS) Suppliers on Aug 30, 2018
This directory provides a list of Video Management Software providers to help you see and research what options are available. Listing...
Hikvision FIPS 140-2 Cybersecurity Certification Examined on Aug 27, 2018
A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US...
Inputs/Outputs For Video Surveillance Guide on Aug 24, 2018
While many cameras have Input/Output (I/O) ports, few are actually used and most designers do not even consider them. However, a good understanding...
Synology Surveillance Station VMS Tested on Aug 22, 2018
With so many low-cost NVRs and enterprise VMSes, is there any place in the market for NAS-based VMSes? Recently, IPVM bought a Synology NAS for...
Video Analytics Integration Guide on Aug 16, 2018
Video analytics is hot again (at least conceptually) but integrating video analytics with VMSes can be challenging. This is especially significant...
Cut Milestone Licensing Costs 80% By Using Hikvision and Dahua NVRs (Tested) on Aug 13, 2018
Enterprise VMS licensing can be quite expensive, with $200 or more per channel common, meaning a 100 camera system can cost $20,000 in VMS...
Milestone / Canon Spinout Arcules Cloud Launch on Jul 30, 2018
Canon and Milestone's VSaaS Startup spinoff Arcules launched their platform at Google Cloud Next. IPVM spoke with CEO Andreas Pettersson about the...

Most Recent Industry Reports

Alexa Guard Expands Amazon's Security Offerings, Boosts ADT's Stock on Sep 21, 2018
Amazon is expanding their security offerings yet again, this time with Alexa Guard that delivers security audio analytics and a virtual "Fake...
UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Hikvision USA Starts Layoffs on Sep 18, 2018
Hikvision USA has started layoffs, just weeks after the US government ban was passed into law. Inside this note, we examine: The important...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact