Webcams, printers, gizmos - the untold net threats

Ghost in the machine


Forget mis-configured Apache servers and vulnerability-laden Adobe applications. The biggest security threats to business and home networks may be the avalanche of webcams, printers, and other devices that ship with embedded web interfaces that can easily be turned against their masters.

The web interfaces are designed to make it easy to manage the devices by allowing people to use a readily familiar medium to change settings such as file names and IP addresses. But there's a catch: The low-cost gadgets were never designed to withstand attacks, even though they interact with some of the most sensitive parts of a computer network, says a team of researchers at Stanford University that tested 21 devices made by 16 different manufacturers.

"We didn't find a single secure device," said Hristo Bojinov, a PhD candidate at Stanford's Computer Security Lab, who plans to present the findings later this month at the Black Hat security conference in Las Vegas. "It tells us that it's a long tail that's completely overlooked right now."

The device that posed the highest number of threats was NAS, or network-attached storage, units, which were susceptible to all five attack classes considered in the study.

For instance, attackers can sabotage NAS units made by one vendor (The Register agreed not to name any specific manufacturers or models in this article) by doing nothing more than entering javascript commands when trying to log in to the device. From then on, the device will execute XSS, or cross-site scripting, attacks against network admins each time they view a device log that stores the wayward login attempts.

Similarly, attackers can manipulate SMB, or server message block, commands, to rename files on a NAS device so they contain malicious javascript. The Stanford team has dubbed such exploits cross-channel scripting attacks because they use a non-web-based channel such as the file transfer protocol to store arbitrary scripts that, when viewed in a web browser, can expose the admin to serious threats. Four of the five NAS manufacturers studied in the report were vulnerable to them.

Other devices that are vulnerable to cross-channel attacks include network switches, routers, photo frames, voice over internet protocol phones, and so-called LOM, or lights out management, systems for remotely managing servers and other network equipment. Other attack classes detailed in the study included CSRF, or cross-site request forgeries, and unauthorized access of files or device resources.

"What we're talking about here is a fairly global problem," said Bojinov. "Pretty much all vendors we have looked at are affected by this."

The researchers have also modeled web-based exploits that invoke CSRF attacks to plant an ever-present "ghost" in certain models of photo frames that allow people to use the internet to remotely change the images being displayed. From then on, the device is under the spell of the demon, which can be programmed to send a copy of each picture stored, the times the device is accessed and other potentially sensitive data.

The findings are significant for a couple reasons. First, once infiltrated, the devices will continue to attack because the malicious scripts reside in configuration pages, device logs, and other pages. Even if an attacked PC is later disinfected, the device may continue to clobber new victims. What's more, these devices are generally invisible to anti-virus and other security programs.

Second, the number of electronic devices being shipped with web interfaces has snowballed and is only getting bigger. In the next few years, the number of such gizmos attached to the net will outnumber servers, the researchers say.

And yet few if any device manufacturers supply defenses against such attacks.

"At a high level, usually the problems can be fixed by being very careful about escaping the state that device stores, and presents," Bojinov says. "However, given the fact that it is so hard to keep track of all input and output, it is too much to ask each vendor to fix to the problem directly."

As a result, the research team - which also includes Dan Boneh, head of the Applied Cryptography Group in Stanford's Computer Science Department, and Elie Bursztein, a post-doctoral researcher at the Stanford Computer Security Lab - are considering whether it makes sense to build a set of lightweight tools that vendors could include in their wares.

One approach is the creation of browser extension the team calls a "sitefirewall" that would prevent attacks from using the browser to leak data outside an intranet. The team plans to release a proof-of-concept tool later this year. A second approach is a framework for developing embedded web interfaces that fixes the most common implementation problems. ®

Similar topics


Other stories you might like

  • The future: Windows streaming through notched Apple screens

    Choice is the word for Jamf's Dean Hager

    Interview As Apple's devices continue to find favour with enterprise users, the fortress that is Windows appears to be under attack in the corporate world.

    Speaking to The Register as the Jamf Nation User Conference wound down, the software firm's CEO, Dean Hager, is - unsurprisingly - ebullient when it comes to the prospects for Apple gear in the world of suits.

    Jamf specialises in device management and authentication, and has long been associated with managing Apple hardware in business and education environments. In recent years it has begun connecting its products with services such as Microsoft's Azure Active Directory as administrators face up to a hybrid working future.

    Continue reading
  • There’s a wave of ransomware coming down the pipeline. What can you do about it?

    AI can help. Here’s how…

    Sponsored The Colonial Pipeline attack earlier this year showed just how devastating a ransomware attack is when it is targeted at critical infrastructure.

    It also illustrated how traditional security techniques are increasingly struggling to keep pace with determined cyber attackers, whether their aim is exfiltrating data, extorting organisations, or simply causing chaos. Or, indeed an unpleasant combination of all three.

    So, what are your options? More people looking for more flaws isn’t going to be enough – there simply aren’t enough skilled people, there are too many bugs, and there are way too many attackers. So, it’s clear that smart cyber defenders need to be supplemented by even smarter technology incorporating AI. You can learn what this looks like by checking out this upcoming Regcast, “Securing Critical Infrastructure from Cyber-attack” on October 28 at 5pm.

    Continue reading
  • Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal

    Or so says infsec outfit Emsisoft

    Hurling online abuse at ransomware gangs may have contributed to a hardline policy of dumping victims' data online, according to counter-ransomware company Emsisoft.

    Earlier this month, the Conti ransomware gang declared it would publish victims' data and break off ransom negotiations if anyone other than "respected journalist and researcher personalities" [sic] dared publish snippets of ransomware negotiations, amid a general hardening of attitudes among ransomware gangs.

    Typically these conversation snippets make it into the public domain because curious people log into ransomware negotiation portals hosted by the criminals. The BlackMatter (aka DarkSide) gang's portal credentials (detailed in a ransom note) became exposed to the wider world, however, and the resulting wave of furious abuse hurled at the crims prompted them to pull up the virtual drawbridge.

    Continue reading

Biting the hand that feeds IT © 1998–2021