| Recurring |
multiple_organization |
(a) The software failure incident related to the vulnerability in the gSOAP code, known as Devil's Ivy, impacted multiple organizations. The incident affected at least 34 companies that use the gSOAP code in their IoT products [61287]. The vulnerability in the gSOAP code was found in a single security camera from Swedish security camera maker Axis Communications, which led to the discovery that the bug was not in Axis's code but in the gSOAP code distributed by Genivia [61287].
(b) The software failure incident involving the Devil's Ivy vulnerability in the gSOAP code affected a wide range of companies beyond just the initial security camera manufacturer. The vulnerability potentially left thousands of different models of internet-connected devices at risk, including security cameras, sensors, and access-card readers [61287]. The gSOAP code is used by nearly 500 members of the ONVIF consortium, which includes companies like Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Netgear, Panasonic, Sharp, Siemens, Sony, and Toshiba [61287]. The total number of affected devices was estimated to be in the millions, indicating the widespread impact of the software vulnerability across multiple organizations [61287]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the article. The vulnerability known as "Devil's Ivy" was discovered in a piece of code called gSOAP, which is widely used in physical security products across various vendors. This vulnerability allowed attackers to fully disable or take over thousands of models of internet-connected devices, including security cameras, sensors, and access-card readers. The issue stemmed from the reuse of code from a small company (Genivia) across a wide range of devices, leading to a widespread impact on the security of these products [61287].
(b) The software failure incident related to the operation phase is also highlighted in the article. The vulnerability in the gSOAP code, which was exploited in the Devil's Ivy attack, required sending a large payload of malicious data to the target devices. This operation-based vulnerability allowed attackers to run any code they chose on the affected devices, potentially leading to disabling the devices, installing malware, or intercepting video streams. The operation of the devices, particularly those configured as servers, made them vulnerable to exploitation through this flaw [61287]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident related to the Devil's Ivy vulnerability, also known as a buffer overflow in the gSOAP code widely used in physical security products, originated from within the system. The vulnerability was found in a piece of code called gSOAP, which was distributed by Genivia as part of its popular gSOAP developer platform. This vulnerability allowed attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers [61287].
(b) outside_system: The software failure incident was exacerbated by factors originating from outside the system, such as the interconnected nature of the Internet of Things (IoT) ecosystem. The widespread use of the gSOAP code across various IoT products from different vendors meant that a single bug in the code could impact a large number of disparate devices, highlighting the risks associated with code reuse and supply chain vulnerabilities in the IoT space [61287]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the article was primarily due to non-human actions. The vulnerability known as "Devil's Ivy" was a flaw in a piece of code called gSOAP widely used in physical security products, which potentially allowed attackers to disable or take over thousands of models of internet-connected devices [61287].
(b) However, human actions also played a role in this incident. The article mentions that the attack would have to be configured separately for each vulnerable device or application, and it required sending a significant amount of data to the target, which was described as a "silly" amount of bandwidth [61287]. Additionally, the responsibility of applying patches to protect devices rested on the companies that use the gSOAP code, as well as on the customers to install those patches [61287]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in the articles is primarily related to software issues rather than hardware. The incident, known as "Devil's Ivy," was a vulnerability in a piece of code called gSOAP widely used in physical security products, which potentially allowed attackers to disable or take over thousands of models of internet-connected devices [61287].
The vulnerability stemmed from a buffer overflow in the firmware of a security camera, which was not in the camera's code but in a code library distributed by Genivia as part of its gSOAP developer platform. This code library was used to implement a protocol called ONVIF, which is a networking language for security cameras and other physical security devices [61287].
The incident highlights the danger of reusing code from a small company across tens of millions of gadgets, emphasizing the importance of secure software development practices and thorough code reviews to prevent such vulnerabilities [61287].
(b) The software failure incident was caused by a vulnerability in the gSOAP code, which is a software component widely used in various internet-connected devices. This vulnerability allowed attackers to exploit the devices and potentially take control of them. The incident underscores the importance of secure coding practices and thorough software testing to prevent such vulnerabilities from being exploited [61287]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. The incident, known as "Devil's Ivy," was a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers [61287]. The attack required sending two full gigabytes of data to a target, indicating a deliberate effort to exploit the vulnerability [61287].
(b) The incident was not non-malicious as it involved a deliberate exploitation of a vulnerability in the code used in various IoT devices, highlighting the danger of reusing code from a small company across tens of millions of gadgets [61287]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The software failure incident described in the articles can be attributed to poor decisions made by various companies involved in using the gSOAP code in their IoT products. The vulnerability known as "Devil's Ivy" stemmed from a piece of code called gSOAP, which was widely used in physical security products from various vendors. Despite the discovery of the vulnerability, patching was described as spotty in the internet of things, leading to a situation where the flaw could persist unfixed in a large number of devices [61287].
(b) Additionally, the incident can also be linked to accidental decisions or unintended consequences. The vulnerability in the gSOAP code, which led to the Devil's Ivy flaw, was not initially identified by the company behind the affected security camera but was discovered by Senrio's researchers. This highlights how unintended consequences can arise from using third-party code across a wide range of products without thorough security assessments [61287]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence can be seen in the article where a vulnerability in a piece of code called gSOAP, widely used in physical security products, was discovered. This vulnerability, named "Devil's Ivy," allowed attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. The issue stemmed from the reuse of code from a small company across tens of millions of gadgets, highlighting the danger of supply chain code sharing in the Internet of Things [61287].
(b) The software failure incident related to accidental factors can be observed in the same article where the vulnerability known as Devil's Ivy was found in the firmware of a single security camera from Axis Communications. This bug could allow a hacker to run any code they chose on the camera, potentially disabling it, installing malware, or intercepting its video stream. The accidental nature of this failure is evident in the fact that the bug was not in Axis's code but in a code library distributed by Genivia as part of its gSOAP developer platform, which was used by various companies without clear knowledge of the potential vulnerabilities it introduced [61287]. |
| Duration |
permanent, temporary |
The software failure incident described in the articles can be categorized as both permanent and temporary:
(a) Permanent: The vulnerability known as "Devil's Ivy" discovered by Senrio in the gSOAP code widely used in physical security products could potentially allow attackers to fully disable or take over thousands of models of internet-connected devices. The widespread use of this code across various devices means that the impact of the vulnerability could persist unfixed in a large number of devices, even after a patch has been released [61287].
(b) Temporary: While a patch was released for the vulnerability, the effectiveness of the patch and the mitigation of the issue depend on the companies that use the gSOAP code making the patch available and customers actually installing it. The article mentions that not all devices affected by the bug necessarily have automatic updates or careful administrators maintaining them, which could lead to some devices remaining vulnerable [61287]. |
| Behaviour |
crash, omission, value, other |
(a) crash: The software failure incident described in the articles can be categorized as a crash. The vulnerability known as "Devil's Ivy" allowed attackers to fully disable or take over thousands of models of internet-connected devices, such as security cameras, sensors, and access-card readers [61287].
(b) omission: The incident can also be related to omission as the vulnerability in the gSOAP code used in physical security products allowed attackers to potentially disable devices, install malware, intercept or spoof video streams, and run any code they chose on the affected cameras [61287].
(c) timing: There is no specific mention of the software failure incident being related to timing issues in the articles.
(d) value: The incident can be linked to a failure in value as the vulnerability in the gSOAP code led to the system performing its intended functions incorrectly, allowing attackers to exploit the devices and compromise their security [61287].
(e) byzantine: The incident does not align with a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions.
(f) other: The other behavior exhibited by the software failure incident is the widespread impact of a single bug across a large number of disparate devices due to the reuse of code from a small company across tens of millions of gadgets. This highlights the danger of code reuse in the Internet of Things ecosystem and the potential for vulnerabilities to propagate extensively [61287]. |