Devil's Ivy PR Campaign Exploiting Manufacturer Cybersecurity

By: IPVM Team, Published on Jul 20, 2017

Manufacturers increasingly have a bulls-eye on their back.

As cyber security solutions providers grow, they realize a great way to get publicity for themselves is to maximize coverage of exploits they discover. 

In this report, we provide a behind the scenes examination of how one PR / marketing campaign came together, examining whether it is fair or foul and looking at the risks for manufacturers.

Company Behind PR Campaign - Senrio

A cyber security startup, Senrio, who sells a network monitoring appliance that detects abnormal network activity, discovered a vulnerability in a toolkit used in many ONVIF implementations.

Exploiting Vulnerabilities For PR 

Rather than simply releasing public notice, Senrio launched a PR campaign, 'partnering' with publications as their PR firm explained to us:

We're partnering with a few journalists, want to give the the opportunity write the story in-depth, but under embargo. By publishing this early, we run the risk of the news leaking without the full story given to those we've promised it.

The PR firm was concerned that our timely coverage (July 10th) of this issue would jeopardize their PR campaign despite the impacted developer, Genivia, already having given public notice.

Winning at PR

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Senrio and their PR firm made out great, with numerous publications covering Senrio:

The results speak for themselves. There is no doubt hiring a PR firm and coordinating publication results in far greater coverage. 

Senrio Over-States Vulnerability

One key problem is that Senrio inflames the matter with its naming and framing of it.

Senrio gave the vulnerability the name "Devil's Ivy" claiming:

We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse.

However, this is very easy to "kill", the software patch was a few lines of code that can be copy/pasted into any source code using the gSOAP toolkit with no adverse effects (we verified this with gSOAP's creator).

Attempting to hype up the potential impact Senrio states:

It is likely that tens of millions of products -- software products and connected devices -- are affected by Devil’s Ivy to some degree.

Though the company gives no indication of exactly how they come to this conclusion, apparently extrapolating from Genivia's claim their toolkit has more than 1 million downloads, and includes some big-name customers (IBM, Adobe, Xerox).

In a video walkthrough of their exploit, Senrio states that they had to run a shell on port 33153:

For most cameras in the wild, this port (or others) are unlikely to be opened on the firewall, which would prevent a remote connection into the shell, unless the hackers also had access to the router/firewall, or UPnP was enabled (both plausible possibilities, though unlikely).

Moreover, Senrio obscures the fact that exploiting this requires sending a 2GB XML file to the device, which increases complexity, and makes a mass-attack much more resource consuming. In their "Technical Details" blog post, they state this as a hex value instead, with no reference to how large of an XML file it really is:

Many security cameras, and other IoT devices, do not have a need for a user to upload a 2GB file, and have restrictions in place to limit max file upload size as a general security best-practice. In speaking with surveillance camera manufacturers, IPVM found that some manufacturers used gSOAP, but were not vulnerable, due to how they handled or limited file uploads. 

In Wired's coverage the security researcher behind the Metasploit penetration tester also picks up on this, noting the complexities of the "Devil's Ivy" vulnerability that make it less threatening than Senrio would have readers believe:

H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio's findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a "silly" amount of bandwidth.

Senrio Benefits From Vulnerabilities

Senrio's product increases in value when potential customers perceive an increase in risks on their LAN. If customers do not fear devices on their network being hacked, or behaving erratically, they will have little incentive to purchase Senrio's products. Thus, hyping up this discovery, and getting multiple media outlets to cover it, stands to benefit Senrio, and in that sense is an understandable approach, even if it diverges from the more traditional approaches taken to vulnerability disclosures.

Manufacturers Are Responsible

Manufacturers are clearly responsible for the cyber security of their products, whether or not companies are looking to take advantage of this for marketing / PR reasons.

Security Manufacturers Beware

Security manufacturers are going to be facing increasing pressure around cyber security. The hunt for vulnerabilities is now funded by startups, who are far more interested than independent researchers and curious hackers that are not so motivated by brand building.

With this discovery, and associated press campaign, Senrio has proven that cyber security vulnerability discoveries are moving beyond topics of interest only to hard-core geeks, on to items of wider interest.

Larger manufacturers, those with name recognition or major market share are the most likely targets, as discoveries in those products will attract more attention than those in off-brand consumer goods.

4 reports cite this report:

Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer on Mar 30, 2018
Getting prompt and appropriate information on vulnerabilities is important...
Hanwha / Kaspersky Vulnerability Dispute Examined on Mar 29, 2018
IT media ran numerous reports in the past month featuring two prominent...
Top 2017 Trends - Cyber and Analytics on Nov 09, 2017
The 2 clear top 2017 trends, according to IPVM integrator statistics...
‘Experts' Fail On Dumbo IP Camera ‘Hack' on Aug 24, 2017
Dumbo, revealed by Wikileaks, has become big news. Unfortunately, 'experts'...
Comments (5) : Members only. Login. or Join.

Related Reports

Convergint Refuses To Fix Faked Fever Marketing, FTC Complaint Filed on Jun 19, 2020
Since Convergint has refused to fix their faked fever camera marketing, IPVM...
Beware Rigged China Fever Cameras on Sep 08, 2020
Many China fever camera manufacturers have rigged algorithms dynamically...
Don't Be Fooled By Hot Water Bottle Fever Camera Demos on Aug 24, 2020
Fever camera salesmen like to fool buyers (and themselves) with hot water...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Actual Coronavirus Testing Options Examined on Aug 13, 2020
Fever cameras have emerged as an indirect and flawed way to test for...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
FLIR A Series Temperature Screening Cameras Tested on Jun 04, 2020
FLIR is one of the biggest names in thermal and one of the most conservative....
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...