The flaw is in the gSOAP library maintained by Genivia, and it’s widely used in embedded devices as well as in some server applications. One of the places where the gSOAP toolkit is used is in IP-enabled security cameras manufactured by Axis. Researchers from security firm Senrio discovered a stack buffer overflow in gSOAP while looking at the firmware in Axis’s cameras and soon found that it could be exploited to give an attacker access to the video from a target camera. The researchers dubbed the bug Devil’s Ivy as a nod to its prevalence and the difficulty of rooting it out.

“Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded,” Senrio said in its analysis of the bug.

“Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.”

One of the thorny things about this vulnerability is that it’s not a flaw in the code from one vendor, but rather lies in a third-party toolkit that’s used by thousands of customers in an untold number of devices. Genivia has released a patch for the vulnerability, but it’s up to each organization that uses gSOAP to download the updated version and then get it into their own codebases. And then the end-user customers of the cameras and other affected devices would need to install the updated firmware, which in some cases isn’t necessarily possible.

“The Internet of Things is ushering in an age of ambient computing. The more pervasive networked embedded devices (IOT) become in our lives, the more important it is to ensure they are resilient against attack. Identifying vulnerabilities in such devices is one way to help make them more secure. Devil’s Ivy was found while researching a security camera, but our research shows that a wide range of IoT devices have similar problems,” Senrio researchers said.

“Devil’s Ivy highlights the industry’s growing concern with the security of IoT. We forget or don’t realize that many of the devices we use everyday are computers— from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of everyday.”

This is the key problem with IoT security: When everything is a computer, everything needs to be secured. And very few of these non-PC computers are secure by even the most generous definition of the word. Worse, for the most part, they can’t really be made secure. IP-enabled cameras, lightbulbs, and fitness trackers are designed to perform specific tasks and in many cases are not meant to be updated, ever. Customers buy the devices and use them and sometimes forget about them, but attackers don’t. When vulnerabilities such as Devil’s Ivy crop up, they often have very long tails and can haunt organizations for many years. Unpatched devices can sit forgotten in the corner of a network, easy pickings for attackers scanning the web a year or two from now.

We’ve seen the effect that bugs in code libraries can have in the traditional computing world, and now we’re beginning to see it in IoT, too. Expect it to get worse before it gets better.