• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Watch Out For Malware In Your New IoT Devices

April 13, 2016 By Marc Laliberte

Over the weekend, security researcher Mike Olsen published an article about his experience with a set of PoE security cameras that he ordered from Amazon.com. While troubleshooting a display issue, Mike found that the web portal for his cameras was using an HTML iframe element to silently load a malicious web site without his knowledge. This type of attack is a perfect example of a Cross Frame Scripting (CFS) attack.

An HTML iframe element allows one web page to load and display a second web page as part of its own page content. As an example of a legitimate use for an iframe element, WatchGuard Dimension uses iframes to display the Web UI for Fireboxes that are managed via Dimension Command. In the security cameras that Mike purchased however, the iframe was styled to load a known malicious web site into an effectively invisible 1 x 3 pixel window at the bottom of the web portal.

By using a hidden iframe, the browser loads the malicious web site without the victim’s knowledge. The malicious web site can then exploit unpatched browser vulnerabilities to preform attacks like stealing web authentication cookies or preforming drive-by-downloads of malware onto the client machine, all without any warning to the victim.

Manufacturer-delivered malware isn’t anything new. In 2014, TrapX discovered industrial barcode scanners delivering malware via infected firmware. In 2015, security researchers found adware performing man-in-the-middle attacks on HTTPS connections pre-installed on Lenovo laptops. Even way back in 2006, a small batch of iPods were shipped pre-infected with the RavMonE worm. How or why a product becomes compromised is not always easily answered. Was the manufacturer accidently infected by something that was then transferred to their product? Did an external attacker or insider specifically target the product? Or did the manufacturer itself knowingly deliver their product with this type of issue? One thing is obvious; we assume out new purchases will arrive in a clean state and bad actors exploit that trust.

As IoT devices continue to become more popular, opportunities for bad guys to launch attacks on your other network connected devices will increase. Consumers should make an effort to avoid purchasing products from non-reputable manufacturers or at least search online for reviews that might expose shady behavior. Administrators should continue following best practices of testing and monitoring new devices in a sandboxed environment before moving them into production where they could cause real harm. — Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles

Comments

  1. Camel Tracker says

    April 13, 2016 at 12:01 pm

    Amazon has removed the link from their site. From camelcamelcamel.com pasting in the Amazon link in your article:

    USG Sony Chip HD 6 Camera 1080P PoE IP CCTV Kit: 1x 8 Channel NVR + 6x 1080P 2.8-12mm PoE IP Dome with Bracket Cameras + 1x 9 Port PoE Switch *** Affordable High Definition CCTV Video Surveillance! (B00YMEVSGA)

    in Photography » Electronics » Urban Security Group

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use