Another Open Source Software Supply Chain Issue

Lets combine all the possible cyber risk concerns into one sentence.

A bug in an open source library used by major IoT vendors is raising the spectre of software supply chain/vendor risk management issues for all developers.

The vendor in question is Axis Communications.  Whether you know it or not, you have seen their security cameras across the country including in high profile places like airports and stadiums.  That is the IoT part.

The open source part is a library that Axis and tens of thousands of other products use called gSoap.  gSoap is available on Sourceforge and has been downloaded 30,000 times in 2017 alone.  Since a developer or developer’s company only has to download it once to use it in hundreds of products, the scope of use of this software is unknown, but large.  Given the number of cameras that Axis alone sells, it likely affects millions of devices.

The bug, called Devil’s Ivy,  is going to be very difficult to stamp out.

For developers, they have to understand their software supply chain.  Axis, for it’s part, is at least trying to spread the word about the problem.  There is a patch available.

But then there is the supply chain issue.  You or I might have an IoT (or other) product that uses this library, but there is no easy way for us to know whether we do or not.  The vendor who downloaded the library and then integrated it into their software has to understand that that library has a patch cycle of it’s own.

ASSUMING the vendor understands the problem, they have to rebuild their software.  If the software is like gSoap, which has been downloaded over a million times, there is no easy way to get the word out, since there is no vendor selling it and no support contract with names and phone numbers.

To make it worse, lets say that Axis downloads the patched library and then figures out which models of their cameras use it and generates a new version of the firmware for that camera, how do they get the word out to their millions of customers that there is a new version of the firmware for some object that is hanging from the ceiling in a store, stadium or airport.  That is not an easy job.

From the customer’s standpoint, their vendor risk  management program needs to be asking questions about how their vendor is keeping up to date on their software supply chain and how they are notifying their customers about new software versions.

Now it is a simple matter of patching an IoT device hanging 30 feet or a hundred feet in the air in the middle of a store, school, stadium or airport.  Did I say SIMPLE?

All in all, a bit of a mess, but with some work it is possible to reduce the risk.  However, it will take work on the part of developers, manufacturers and end users.  THAT is not simple either.

Information for this post came from Senrio.

by