Embedded Management Interfaces: Emerging Massive Insecurity

In recent years we have seen an accelerating trend of vendors embedding browser-based management interfaces in devices ranging from lights-out management modules to WiFi-enabled digital picture frames. Along with the ease of use, these interfaces have brought about significant risks of exposing private data and allowing unauthorized access to computer and network infrastructure in homes and offices. We have determined that it is critical to focus the attention of the security community on this emerging problem, and define and broadly adopt a standard set of solutions.

We studied the security of embedded web servers used in consumer electronic devices, such as security cameras and photo frames, and for IT infrastructure, such as wireless access points and lights-out management systems. All the devices we examine turn out to be vulnerable to a variety of web attacks, including cross site scripting (XSS) and cross site request forgery (CSRF). In addition, we showed that consumer electronics are particularly vulnerable to a nasty form of persistent XSS where a non-web channel such as NFS or SNMP is used to inject a malicious script. This script is later used to attack an unsuspecting user who connects to the device's web server. We refer to web attacks which are mounted through a non-web channel as cross channel scripting (XCS). We propose a client-side defense against certain XCS which we implement as a browser extension.

In proceedings of ACM CCS 2009, to appear
Blackhat 2009 Technical Briefing / whitepaper
Presentation at the Black Hat 2009

More Stanford web security research