Devices such as printers, photo frames, phones, and webcams are often considered an afterthought during a typical security assessment. A study released by the Stanford University Security Laboratory, however, has demonstrated that the web-based management interfaces embedded in these devices may introduce greater risk into your network than you would think.
Unless it’s possible to access the underlying code of these interfaces, organizations are faced with three options: remove the device from the network, ask the vendor for a patch, or accept and minimize the risk via access controls. For most organizations, the first option isn’t reasonable. As for the second option, organizations are left at the vendor’s mercy in terms of when, and if, a patch will be released. The third option may be sufficient, but places no pressure on vendors to fix these issues. Additionally, as mandatory security standards such as the PCI DSS continue to become prevalent, it’s a matter of time before these devices could be forced into the limelight.
Many organizations that release web-based applications are expected to bake security into their software development life cycle, as well as to audit these applications and release patches on a regular basis. It seems the root of the problem stems from the lack of pressure on these vendors from the users of these devices. Often times, devices such as IP-based cameras and photo frames are placed on networks without admins being aware of it. Even devices that admins are aware of, such as printers, are often overlooked during security assessments. Budgets are limited, and security assessments are often focused on more pertinent areas within the network, such as mission-critical server infrastructure. An auditor can’t tell you to repair vulnerabilities on devices that are out of scope or that they are unaware of; as far as the client is concerned, these vulnerabilities may as well not exist. In turn, vendors will be under little to no pressure from their clients to patch these often-overlooked vulnerabilities.
In regards to the vulnerabilities themselves, many of the findings in the paper did not seem to be all that “new” so much as simply unnoticed. Many of them were simple issues surrounding a lack of input and output validation via standard web forms. However, the paper did mention a new form of attack known as XCS, or cross-channel scripting. In the past, these types of attacks were often launched via HTTP. XCS, on the other hand, exploits cross-site scripting vulnerabilities via non-traditional communication channels such as FTP, SMB, and SIP. For example, a tag such as <script>alert(123)</script> may be embedded in a spoofed caller ID created via SIP. This script tag will be stored in a log; once the admin views the log via the web-based management interface for the phone, an alert box with the numbers “123” will appear on the admin’s screen. Obviously this won’t accomplish much beyond annoying an admin, but if the script were to be used to steal the admin’s session, the attacker could then take unauthorized actions in the interface with the admin’s privileges. Depending on the nature of the interface, the attacker could do pesky things like changing the ringtone of every phone on the network to a Rick Astley tune (click at your own risk). Alternatively, an attacker could potentially take down an entire company’s IP-based phone system, thus causing hefty amounts of financial damage in lost productivity and consumer confidence due to downtime.
We all have limited resources and have to choose our battles when it comes to security assessments. Still, I would highly recommend giving the white paper a skim, if not to get an idea of the potential risks associated with these often-overlooked devices. I’m waiting for a news story about someone taking over an entire network via an IP-enabled photo frame (if you see one, let me know). Maybe it won’t happen any time soon, perhaps never; but if it does, organizations may have to think twice about that seemingly innocuous printer gathering dust in the back of the office.
