Study: Serious Web Security Flaws Rampant on Embedded Devices

License plate readers are vulnerable to hackers, EFF warned.
A survey found 3/4ths of web interfaces for embedded systems like closed circuit cameras contained serious vulnerabilities.

In-brief: three quarters of embedded systems that sport web interfaces tested by researchers at universities in Germany and France contained serious security vulnerabilities, according to a new study. The results raise more questions about the security of embedded devices including home routers and home surveillance cameras. 

The web interface is a bit like the “bacon” of the Internet of Things – every device tastes (and works) a lot better with one. But, if implemented or deployed improperly, those web interfaces can be fat targets for remote attackers. Now a survey of firmware by researchers in France and Germany finds that many of those web interfaces are, indeed, vulnerable.

The researchers, from EURECOM and Ruhr University Bochum in Germany emulated and tested 246 separate instances of embedded device firmware with web interfaces. Of those, 185 (75%) were discovered to have “high impact” vulnerabilities, according to a report, “Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces,”  which was published on the web site arxiv.org on November 11th.

The report raises troubling questions about the security of a wide range of embedded systems, from broadband routers, to closed circuit cameras to voice over IP (VoIP) phones. The increasing presence of such connected devices running embedded operating systems poses a serious security challenge to both individuals and businesses.

The extensive survey was conducted as a test of an automated testing framework for embedded firmware. The framework, was developed by researchers Andrei Costin and Aurelien Francillon of the French graduate and research facility EURECOM and Apostolis Zarras of Ruhr-University Bochum in Germany. It was designed to discover vulnerabilities in embedded firmware images running on commercial off the shelf (COTS) devices such as home routers and security cameras.

Researchers identified more than 1,900 such firmware packages that contained (or appeared to contain) embedded web servers. However, they reported that the vast majority of firmware images they identified could not be scanned, either because the firmware or the included web interface could not be emulated for the purposes of testing.

In all, the researchers discovered 9,271 vulnerabilities in the 185 firmware images that they fully analyzed. Around one-quarter of the 54 vendors whose firmware was part of the survey population were affected. Twenty one of the firmware packages tested were vulnerable to command injection. Thirty two were vulnerable to cross site scripting (XSS) attacks and 37 were found to be vulnerable to cross site request forgery (CSRF) attacks. The researchers combined automated scans using both static and dynamic testing as well as manual testing to discover the vulnerabilities.

[Read more Security Ledger coverage of security issues affecting embedded devices.]

The vulnerabilities affected firmware running many different types of devices including SOHO (small office/home office) routers, closed circuit TV (CCTV) cameras and small WiFi devices like SD cards, the researchers wrote.

As an example, a test of Netgear networking devices found a raft of problems including insecure PHP modules that are used to write data to and from the device hardware such as the MAC address, hardware register values and so on. The features appeared to be left over from the manufacturing or testing process and had no utility to Netgear customers. However, attackers could use those modules to carry out command injection and cross site scripting attacks against the affected Netgear devices, the researchers warned.

Manual testing of the Netgear devices exposed a raft of authentication-related flaws, as well. They included privilege escalation vulnerabilities that would enable an attacker to become a “web admin,” unencrypted configuration storage and unauthorized configuration downloads containing data such as WPAx keys, passwords and so on.

Searches on Shodan, the hardware search engine, revealed around 500 affected Netgear devices globally that could be remotely accessed. However, that is a tiny percentage of all vulnerable devices, given that most are deployed on internal networks and are not visible to Shodan searches.

Other problems were also noted – though outside of the scope of the survey. Only 19% of the firmware images collected contained a HTTPS certificate, which the researchers consider a “lower bound estimate” of the number of firmware images that would support a web server with HTTPS support. Twenty four percent of the firmware images tested that successfully launched a web server also started a HTTPS version of the server.

“It is unfortunate that so few devices provide HTTPS support,” the researcher wrote.

The firmware versions tested also started a range of other potentially insecure interfaces by default including FTP, TFTP, RTSP, TelnetD, and Debug.

Security issues that affect embedded systems are increasingly garnering attention from the information security industry as well as policy makers. There have been frequent stories about security weaknesses in firmware that is used by a wide range of embedded systems, including home broadband routers and even baby monitors. Embedded passwords, weak authentication schemes or other remotely exploitable vulnerabilities have been attributed to the growing participation of embedded systems in criminal botnets, as well as breaches of privacy by way of inexpensive, IP enabled home surveillance cameras that are remotely exploitable.

Lawmakers have proposed remedies, including new rules that would restrict updates to wireless devices to authorized third parties. That proposal attracted the condemnation of technology and security luminaries, who noted that such a policy would risk creating a population of unmanaged and unmanageable devices, as companies and their products age and shift focus.