Feeds

Webcams, printers, gizmos - the untold net threats

Ghost in the machine

Choosing a cloud hosting partner with confidence

Forget mis-configured Apache servers and vulnerability-laden Adobe applications. The biggest security threats to business and home networks may be the avalanche of webcams, printers, and other devices that ship with embedded web interfaces that can easily be turned against their masters.

The web interfaces are designed to make it easy to manage the devices by allowing people to use a readily familiar medium to change settings such as file names and IP addresses. But there's a catch: The low-cost gadgets were never designed to withstand attacks, even though they interact with some of the most sensitive parts of a computer network, says a team of researchers at Stanford University that tested 21 devices made by 16 different manufacturers.

"We didn't find a single secure device," said Hristo Bojinov, a PhD candidate at Stanford's Computer Security Lab, who plans to present the findings later this month at the Black Hat security conference in Las Vegas. "It tells us that it's a long tail that's completely overlooked right now."

The device that posed the highest number of threats was NAS, or network-attached storage, units, which were susceptible to all five attack classes considered in the study.

For instance, attackers can sabotage NAS units made by one vendor (The Register agreed not to name any specific manufacturers or models in this article) by doing nothing more than entering javascript commands when trying to log in to the device. From then on, the device will execute XSS, or cross-site scripting, attacks against network admins each time they view a device log that stores the wayward login attempts.

Similarly, attackers can manipulate SMB, or server message block, commands, to rename files on a NAS device so they contain malicious javascript. The Stanford team has dubbed such exploits cross-channel scripting attacks because they use a non-web-based channel such as the file transfer protocol to store arbitrary scripts that, when viewed in a web browser, can expose the admin to serious threats. Four of the five NAS manufacturers studied in the report were vulnerable to them.

Other devices that are vulnerable to cross-channel attacks include network switches, routers, photo frames, voice over internet protocol phones, and so-called LOM, or lights out management, systems for remotely managing servers and other network equipment. Other attack classes detailed in the study included CSRF, or cross-site request forgeries, and unauthorized access of files or device resources.

"What we're talking about here is a fairly global problem," said Bojinov. "Pretty much all vendors we have looked at are affected by this."

The researchers have also modeled web-based exploits that invoke CSRF attacks to plant an ever-present "ghost" in certain models of photo frames that allow people to use the internet to remotely change the images being displayed. From then on, the device is under the spell of the demon, which can be programmed to send a copy of each picture stored, the times the device is accessed and other potentially sensitive data.

The findings are significant for a couple reasons. First, once infiltrated, the devices will continue to attack because the malicious scripts reside in configuration pages, device logs, and other pages. Even if an attacked PC is later disinfected, the device may continue to clobber new victims. What's more, these devices are generally invisible to anti-virus and other security programs.

Second, the number of electronic devices being shipped with web interfaces has snowballed and is only getting bigger. In the next few years, the number of such gizmos attached to the net will outnumber servers, the researchers say.

And yet few if any device manufacturers supply defenses against such attacks.

"At a high level, usually the problems can be fixed by being very careful about escaping the state that device stores, and presents," Bojinov says. "However, given the fact that it is so hard to keep track of all input and output, it is too much to ask each vendor to fix to the problem directly."

As a result, the research team - which also includes Dan Boneh, head of the Applied Cryptography Group in Stanford's Computer Science Department, and Elie Bursztein, a post-doctoral researcher at the Stanford Computer Security Lab - are considering whether it makes sense to build a set of lightweight tools that vendors could include in their wares.

One approach is the creation of browser extension the team calls a "sitefirewall" that would prevent attacks from using the browser to leak data outside an intranet. The team plans to release a proof-of-concept tool later this year. A second approach is a framework for developing embedded web interfaces that fixes the most common implementation problems. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.