Devils Ivy (gSOAP)

Issue

Customers asking if our cameras are vulnerable to Devils Ivy ( gSOAP) attack

Product Line

Pelco Cameras

Environment

All pelco camera series.

Cause

Security firm Senrio revealed a hackable flaw it's calling "Devil's Ivy," a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers.

Resolution

In Mid-July, a security vulnerability – the gSOAP/Devil’s Ivy threat -- was exposed that had a significant impact in our video security market. This is Pelco’s official statement shared with IPVM magazine (emphasis added):

 
Pelco by Schneider-Electric takes all Cyber Security threats seriously responds immediately to any reported or potential threat to take immediate and proactive corrective action.
 As such, Pelco is aware of the recently discovered gSOAP vulnerability, and has performed extensive testing of that vulnerability on our product offerings.  Specifically, we tested against the gSOAP vulnerability on Pelco’s IP camera product lines, and have found that our cameras are immune to the vulnerability.  For our VMS systems products, gSOAP is not used, and therefore those products are also immune to this vulnerability.

 

As for our EVO cameras was previously aware of the gSOAP vulnerability reported by IPVM and determined that neither the Evolution 05 nor Evolution 12 products are susceptible to this vulnerability. Specifically, uploading large files to either an Evolution 05 or Evolution 12 is not supported, which is at the root of the vulnerability. Updated firmware is not required to address this vulnerability in product".