Forget mis-configured Apache servers and vulnerability-laden Adobe applications. The biggest security threats to business and home networks may be the avalanche of webcams, printers, and other devices that ship with embedded web interfaces that can easily be turned against their masters. The web interfaces are designed to make …
To exploit these flaws you need to be able to connect to the vulnerable service in the first place. If your NAS, printer and e-fridge are behind a firewall, then they can't be directly attacked. Sure they can be attacked from behind your firewall, inside your LAN, but by then you've already let the Greeks into Troy, so you've really got bigger things to worry about.
This is why we invented firewalls.
Standalone, stateful firewalls, to be precise.
Obvious Exploited for Publicity
This is one of the oldest stories around. Why Stanford just now found out about it is pretty amusing.
Just FYI --- Web Enabled Management interfaces are always supposed to be on isolated management networks --- not public ones --- well known proper practice.
No, it's not.
"However, given the fact that it is so hard to keep track of all input and output, it is too much to ask each vendor to fix to the problem directly."
No, actually, it's not. Real programmers have been doing it for quite some time now. All the useless monkeys we've chased out of enterprise programming just program for these device classes now.
Now I know why I don't trust NAS.
The 'login failure log' attack is entirely due to utterly **** programming. How is it possible to put *executable* script into the username field? This can *only* be because it's not discarding (or escaping in display) special characters, in particular the < & > symbols.
If a field isn't allowed to contain a character, discard it! Thus all attacks requiring the use of that character will fail.
(I manage to do that for bespoke 'muppet-proof' applications, and I'm not exactly the world's greatest programmer.)
The SMB attacks are considerably more concerning though - if they can rename my files *at all*, I can't trust the unit. It doesn't matter what they rename them to - I need my files to remain unmolested.
I was under the impression that SMB had reasonably good security. Is that false?
More of the bleedin' obvious
The geeks amongst us are going to be fine, right ?
The not so geeky is gonna get stiffed as usual, but this time on their favourite digital appliances. Malware infections wot security vendors products can't see and therefore can't clean and which consequently, will keep re-attacking any network PCs and/or servers, until they are identified and removed.
No problem then !
I raised this problem in a banking network I was looking at four years ago. And I could access these devices from a public internet terminal (i.e. from outside their network)! Answer was that nobody new how to exploit these devices and so there was no need to monitor or 'wall. I quit the job.
Another perspective from an author
Folks, I thought I would take a look at what some of your comments say, from a different angle:
(a) people *don't* have a separate LAN for managing their e-fridges, digital picture frames, etc.
(b) the laptops with embedded LOM happen to use the Starbucks WiFi AP
(c) the one engineer working on the embedded management interface for a particular device doesn't necessarily have a security background and has to finish the job *yesterday*
(d) ... shall we continue?
The problem is real, and is emerging only now (one of the reasons being cheaper networking HW and processing power, which allow embedding a small web server practically anywhere). We have to fix this one way or another. The people developing this software are not going to magically become security-savvy, and development schedules are not going to expand to allow for more security testing. What are you doing to help?
Google Hacking Database
If this bloke has only just figured this out while doing his PhD, he must have spent a lot of his university time down the bar. I thought everyone knew about Google Hacking where you can find all kinds of devices by using search strings which look for portions of URLs used in various web interfaces.
Many people seem quite naive when connecting devices to the Internet for their own use - the idea that others might connect to their NAS/webcam/printer eludes them.
Not only web interfaces
I remember an incident in the 90s that an insurance company -which I worked for - got hacked because the IT dept hadn't disabled the telnet interface in an HP jetdirect box. It may have just been a corporate myth to try and get us to take security seriously, but the guy seemed to be serious.
The researchers ... plant an ever-present "ghost" in certain models of photo frames......programmed to send a copy of each picture stored, the times the device is accessed and other potentially sensitive data.
Oh wow, they get terabytes of pictures of the family dog, trips out, someones birthday party etc etc...it's not like there are going to be photo's that you can be blackmailed with.
Here I'll save them the effort.
A firewall won't protect you from anything, if you use a wireless network and don't secure it properly. (Ok, it will protect you from Internet based attacks, but not from someone in the street) I try to run everything wired and only leave my wireless network on for the smallest ammount of time possible, I also have it's port DMZed. I dont' think that the majority of people could be expected to understand how to configure such a network.
Back in the sixties...
Well, during the first Iraq war, anyway, there was a scare story going around about a "printer virus". The tale was believed by many to have been got up by some intelligence agency as a disinformation campaign, but could just as easily have been a normal urban legend. Printers just barely had memory to buffer the stream of data then, and certainly nothing that could get infected.
I agree with AC
If you're outside the company firewall then this is what you have to do:
1, break into the firewall
2, scan every machine on the network until you find a printer (or similar)
3, identify the manufacturer and model
4, perform hack
Since 1 is impossible and 2 & 3 may be quite difficult, it doesn't matter how hard it is to do 4!
Are the guys who have identified this "expliot" about to sell us a solution, perchance? This problem is as old as the hills and hasn't been known to cause any major problems for anyone so far!
When I was at Uni (many long years ago), I remember developing a piece of mangled postscript which contained embedded commands. When sent to a particular make of printer it would allow me to do all kinds of naughty things... and it didn't rely on sysadmins using a particular tool to look through logs either.
AC (for obvious reasons)
One good start to seeing what's out there (assuming you're on the LAN, of course) is a broadcast ping.
Doing that on my home LAN (ping to x.x.x.0), the Linux/Windows/Mac machines ignore it, but the UPS web management card responded, as did the wifi router, the network webcams, the NAS boxes, the JetDirect cards and my OS/2 VM. Interestingly, a broadcast ping to x.x.x255 woke up the Mac as well.
yeah, yeah whatever.
all your printers belong to us.
Firewall isnt silver....
Clearly a firewall is going to protect from direct internet attack.
However, if the attacker can subvert a PC on the LAN (via nasty email or browsing to a trojanised site) then that PC can be programmed to make the attack on LAN printer.
PC antivirus update might later clean the PC, but who has AV running on their printers?
"I try to run everything wired and only leave my wireless network on for the smallest ammount of time possible, I also have it's port DMZed."
Hmmmmm, I'm not sure whether tha was a typo or what but; the DMZ stands for De-Miliarised Zone I.E. Any device you place in the DMZ is effectively on the other side of your firewall....unprotected :/
I hope that was a typo and if not, happy to help.
If the attacks are as made out here; I'm going hunting for a network that has a coffee machine and webcam up and start da haunting, woooOOOOooooo
Photo Frames - @AC 08:25
Given the current furore over News of the World phone tapping, I'm guessing that the photo frames of Paris, Lindsay, and any other D-list celebrities or politicians are the obvious target; it's the invasion of privacy angle that's concerning as much as anything else...
The majority of peeps who read El Reg know about firewalls etc. The vast majority of people who will buy and run these devices are not tech literate - they just want want something that they plug in and works. I think what this report is highlighting is that by default this kit is open and hackable and that some thought should be put into making home networking more secure without being too techy.
I thought they all ran Linux, and fairly stripped down versions thereof, too. I'm surprised to hear that they are safe havens for Windows viruses to hide and surprised that it would be too expensive for the vendors to fix.
But then, I'm also surprised that the average NAS unit isn't far more "open" than they really are. Some of them could be really nice headless machines (small, cheap, low-power) but it seems that the vendors are so convinced that there isn't a market there that they are actually willing to make an extra effort to prevent that use.
C'mon people. No-one can "pirate" hardware and you haven't got any investment in the software to lose. Opening it up would make your product more saleable and allow a user community to take on some of your support burden. It's a win-win.
Issuing an Open Invitation to be Hacked?
One of HP's latest Multifunction PRinters (according to Sept 2009 issue of Linuxformat) has a touchscreen and builtin web browser.
Ok, I understand there is a USP here in being able to print web pages out directly but I wouldn't want to use it. I forsee other printer makers following HP's lead. I won't be buying one that is for sure.
It would be only too easy to visit a site infected with malware and guess what effect your super dooper firewall will have in blocking the bad stuff? Zero.
The only saving grace could be that it uses a Freescale CPU unless...
it was specifically targetted.
I guess this sort of targetting is not too difficult
Anon 08:43 GMT you used the 'I' word. Fail.
It is not impossible to break through a firewall, it is absolutely possible. What it it actually is, is non-trivial.
It's very hard to break through a well configured firewall but when you're in, you're in.
The point that is missed in the article is that if you have got to the point when you can attack these devices they are no longer the target.
1. Long way from impossible unless the FW has been configged by a seriously competent security bod. You only need to get THROUGH the firewall, you don't need control of it. Think DSL modem, not router.
2. Type "nmap -p0 192.168.0.0/24" or similar at your *nix or Cygwin command prompt
3. nmap will give you the manufacturer from MAC address lookup as part of what it does. Seagate don't make printers, Epson don't make NAS (do they?)
4. Do your thing as you have the above sorted.
Before you say 'that's good for a home attack, corps are still more secure' think what logins the home network has for the work VPN that can be gleaned.
I'm not a hacker and I know this much just from working with the stuff each day...
When articles like this appear, there never appears to be any sound advice, though there's plenty of moaning and groaning and I told you so comments.
It would be nice to see one or more of the SAVVY minded elReg commentards blogging with some good advice for those not so SAVVY tech minded elReg readers on what is a decent safe method to set up network items such as printers, voip, photoframes, etc?
Has the reverse photo frame exploit been tried yet? forcing an image into a frame.
Posiiblilties for blackmailers and bunny boilers must be immense...
Actually, I think he has a quite fine config there. Because the Wifi is in the DMZ, it should not access anything inside the firewall. This allows Wifi users access to the "innertubes", and leave his LAN alone; safe as houses, what?
Of course, this then means that he should not be able to access any of the network resources of the LAN, unless port forwarding is configured for access of certain services to certain machines.
But again, if you are going that far into the garden, furrowing a flower bed is naught work, really.
Stanford Peripheral Experiment?
A DMZ is not outside a firewall per se, it's outside the main network, so outside the main firewall, but isn't fully open to the internet, otherwise anything in your DMZ would just be in the Internet. Machines in a DMZ have certain ports open to the internet/untrused network and certain ports open to the trusted network.
The OS built into the BIOS on NAS, switches, printers, photo frames etc. is largely irrelevant.
It could be Linux, windows, or even OS/2 Warp. What's important is that the OS itself is hosting a web-based interface for remote control (the whole point of having this sub-OS).
The OS of whatever flavour does the configuring of the hardware, but it accepts control commands from the web interface, which obviously is hosted on a mini web server. If the mini web server can be cracked through code injection, the OS will blindly follow commands sent to it from this mini web app.
We've just barely managed to get internet based PHP developers worldwide to start coding in algorythms that stop SQL injections, and this was only due to the rampant use of such attacks.
So if you're working from a small department on a tight schedule, with extremely limited hardware resources (these mini web servers ain't exactly gonna host the next facebook!) in all practical reality the odds of a security vulnerability getting through are pretty high.
When I think of the trust relationship between my computer and my primary backbone switch which uses fully enabled Java for its interface...
On the other hand though, I would certainly expect a more profesional approach to built-in security from a firm producing tack mounted hardware than a poxy little photo frame
I actually do layer my home network - it's easy
I layer my home network and put web-accessible items one firewall in. There is protection from the Internet provided by the first router/firewall and protection for my NAS and desktops/laptop provided by the 2nd firewall. With Linksys WRT54GL wireless routers now selling around $50 (US), and 3rd party firmware like dd-wrt and Tomato, there really isn't an excuse for not layering protection.
But I agree - the people who don't know enough to configure routers and firewalls, port forwarding, etc, are in a world of hurt. I see way too many home "networks" that are their cable or DSL modem and a hub or router in default configuration with no security.
Actually it's a browser vuln
OK, the nuts of this vuln is that your browser will aggressively execute ANY suitable script it finds, even inside a file name or log entry! I know we've all benefited from the extensibility of HTML from embedded magic strings that signal "script ahead!", but this is really a massive security hole. This is the elephant in the room. This is *the* big HTML fail, the fundamental design flaw.
Back to the issue of embedded servers - we've certainly seen it in our LAN - when we turned on WiFi for the house sitter while we went on holiday, she could easily see our NAS - so we unplugged it before we left, but did leave the network printer up for her benefit. Normally the WiFi is off. Fortunately we did a checkout before leaving! We're in a tight neighborhood, and about a dozen houses must be able to see out WAP, based on how many WAPs we can see.
@AC 'Old news #'
I know exactly what you mean.
Some years ago I was managing a heterogenous network on a survey ship, connected to the outside world by VSAT at isdn speeds.
I had a bit of a browse around the universe one night. I discovered I could print documents in my local district council - their print queues were all visible over the internet. I sent them a few quotations for consultancy to stop it happening, including printing them on their printers, but heard noting,
Those claiming that it's too difficult to break through firewalls - the average consumer 'firewall' is a NAT device (with various degrees of vunerability) plus a badly configured software packet inspector on the users machine.
In any case, there are alternate ways around a firewall. Go in via a browser exploit - and use that to plant backdoors on various devices, that's not too far fetched, even/especially in the average corporation with an overworked IT department and a scheduled set of OS/software updates that are always later than you'd get them in the consumer world - due to the need for verification.
Firewalls and stuff
Actually a hardware firewall built into your router will help as long as the devices aren't available on a wireless network. But then wireless networks can be secured using other methods.
IF the users of these devices went to a real computer store instead of PC World or Best Buy, then the odds are about 50/50 that the seller would show the user how to secure his or her device. Occasionally even those corporates have ethical employees, but those sorts of employees don't last long because corporate electronics stores want to charge for basic configuration, not give it away for free.
Anyway the point of the article is not that stuff on the internet is vulnerable because 100% security is impossible, but rather if you spend 5 minutes learning how to configure the device you can make yourself safe from drive-by hacks.
The following Google search.. okay I won't but there is a simple one that will reveal 1000s of unsecured devices for everyone to take a look at. Even more if you're aware of the standard admin username and password, admin. Or 12345.
So the problem is lazy, greedy or unscrupulous computer dealers don't tell non-techs how to secure their devices in a way that won't make their co-existing PC 100% secure, but will make it safe enough to withstand those who can't be bothered to waste time figuring something out when there's 1000s of other targets out there that don't require any thought whatsoever to access.
And that is actually pretty damn safe. It's like the old joke about the two guys that stumble across a lion. One starts to run and the other asks puzzled, 'do you really think we can outrun the lion?'. The guy that started running answers 'no, but I know I can outrun you.'
Any non-techie that reaches the goal of outrunning the millions of slow people with no security has pretty much made their system as safe as it needs to be, unless he has a disgruntled spouse with the phone number of a good detective agency and a penchant for deleting his WoW toons (I know a guy this happened to and while I also know I shouldn't laugh..).
To anyone thinking, well if they just read the manual.. yeah.. right.. You'd think that at least one manufacturer.. just one.. would employ someone with the ability to put all the required words in a sentence to make that sentence mean something in the language it was written..
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Did Apple's iOS make you physically SICK? Try swallowing version 7.1
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Video Snowden: You can't trust SPOOKS with your DATA
- Review Distro diaspora: Four flavours of Ubuntu unpacked