Webcams, printers, gizmos - the untold net threats
Ghost in the machine
Forget mis-configured Apache servers and vulnerability-laden Adobe applications. The biggest security threats to business and home networks may be the avalanche of webcams, printers, and other devices that ship with embedded web interfaces that can easily be turned against their masters.
The web interfaces are designed to make it easy to manage the devices by allowing people to use a readily familiar medium to change settings such as file names and IP addresses. But there's a catch: The low-cost gadgets were never designed to withstand attacks, even though they interact with some of the most sensitive parts of a computer network, says a team of researchers at Stanford University that tested 21 devices made by 16 different manufacturers.
"We didn't find a single secure device," said Hristo Bojinov, a PhD candidate at Stanford's Computer Security Lab, who plans to present the findings later this month at the Black Hat security conference in Las Vegas. "It tells us that it's a long tail that's completely overlooked right now."
The device that posed the highest number of threats was NAS, or network-attached storage, units, which were susceptible to all five attack classes considered in the study.
Other devices that are vulnerable to cross-channel attacks include network switches, routers, photo frames, voice over internet protocol phones, and so-called LOM, or lights out management, systems for remotely managing servers and other network equipment. Other attack classes detailed in the study included CSRF, or cross-site request forgeries, and unauthorized access of files or device resources.
"What we're talking about here is a fairly global problem," said Bojinov. "Pretty much all vendors we have looked at are affected by this."
The researchers have also modeled web-based exploits that invoke CSRF attacks to plant an ever-present "ghost" in certain models of photo frames that allow people to use the internet to remotely change the images being displayed. From then on, the device is under the spell of the demon, which can be programmed to send a copy of each picture stored, the times the device is accessed and other potentially sensitive data.
The findings are significant for a couple reasons. First, once infiltrated, the devices will continue to attack because the malicious scripts reside in configuration pages, device logs, and other pages. Even if an attacked PC is later disinfected, the device may continue to clobber new victims. What's more, these devices are generally invisible to anti-virus and other security programs.
Second, the number of electronic devices being shipped with web interfaces has snowballed and is only getting bigger. In the next few years, the number of such gizmos attached to the net will outnumber servers, the researchers say.
And yet few if any device manufacturers supply defenses against such attacks.
"At a high level, usually the problems can be fixed by being very careful about escaping the state that device stores, and presents," Bojinov says. "However, given the fact that it is so hard to keep track of all input and output, it is too much to ask each vendor to fix to the problem directly."
As a result, the research team - which also includes Dan Boneh, head of the Applied Cryptography Group in Stanford's Computer Science Department, and Elie Bursztein, a post-doctoral researcher at the Stanford Computer Security Lab - are considering whether it makes sense to build a set of lightweight tools that vendors could include in their wares.
One approach is the creation of browser extension the team calls a "sitefirewall" that would prevent attacks from using the browser to leak data outside an intranet. The team plans to release a proof-of-concept tool later this year. A second approach is a framework for developing embedded web interfaces that fixes the most common implementation problems. ®
Firewalls and stuff
Actually a hardware firewall built into your router will help as long as the devices aren't available on a wireless network. But then wireless networks can be secured using other methods.
IF the users of these devices went to a real computer store instead of PC World or Best Buy, then the odds are about 50/50 that the seller would show the user how to secure his or her device. Occasionally even those corporates have ethical employees, but those sorts of employees don't last long because corporate electronics stores want to charge for basic configuration, not give it away for free.
Anyway the point of the article is not that stuff on the internet is vulnerable because 100% security is impossible, but rather if you spend 5 minutes learning how to configure the device you can make yourself safe from drive-by hacks.
The following Google search.. okay I won't but there is a simple one that will reveal 1000s of unsecured devices for everyone to take a look at. Even more if you're aware of the standard admin username and password, admin. Or 12345.
So the problem is lazy, greedy or unscrupulous computer dealers don't tell non-techs how to secure their devices in a way that won't make their co-existing PC 100% secure, but will make it safe enough to withstand those who can't be bothered to waste time figuring something out when there's 1000s of other targets out there that don't require any thought whatsoever to access.
And that is actually pretty damn safe. It's like the old joke about the two guys that stumble across a lion. One starts to run and the other asks puzzled, 'do you really think we can outrun the lion?'. The guy that started running answers 'no, but I know I can outrun you.'
Any non-techie that reaches the goal of outrunning the millions of slow people with no security has pretty much made their system as safe as it needs to be, unless he has a disgruntled spouse with the phone number of a good detective agency and a penchant for deleting his WoW toons (I know a guy this happened to and while I also know I shouldn't laugh..).
To anyone thinking, well if they just read the manual.. yeah.. right.. You'd think that at least one manufacturer.. just one.. would employ someone with the ability to put all the required words in a sentence to make that sentence mean something in the language it was written..
Those claiming that it's too difficult to break through firewalls - the average consumer 'firewall' is a NAT device (with various degrees of vunerability) plus a badly configured software packet inspector on the users machine.
In any case, there are alternate ways around a firewall. Go in via a browser exploit - and use that to plant backdoors on various devices, that's not too far fetched, even/especially in the average corporation with an overworked IT department and a scheduled set of OS/software updates that are always later than you'd get them in the consumer world - due to the need for verification.
Actually it's a browser vuln
OK, the nuts of this vuln is that your browser will aggressively execute ANY suitable script it finds, even inside a file name or log entry! I know we've all benefited from the extensibility of HTML from embedded magic strings that signal "script ahead!", but this is really a massive security hole. This is the elephant in the room. This is *the* big HTML fail, the fundamental design flaw.
Back to the issue of embedded servers - we've certainly seen it in our LAN - when we turned on WiFi for the house sitter while we went on holiday, she could easily see our NAS - so we unplugged it before we left, but did leave the network printer up for her benefit. Normally the WiFi is off. Fortunately we did a checkout before leaving! We're in a tight neighborhood, and about a dozen houses must be able to see out WAP, based on how many WAPs we can see.