Over the weekend, security researcher Mike Olsen published an article about his experience with a set of PoE security cameras that he ordered from Amazon.com. While troubleshooting a display issue, Mike found that the web portal for his cameras was using an HTML iframe element to silently load a malicious web site without his knowledge. This type of attack is a perfect example of a Cross Frame Scripting (CFS) attack.
An HTML iframe element allows one web page to load and display a second web page as part of its own page content. As an example of a legitimate use for an iframe element, WatchGuard Dimension uses iframes to display the Web UI for Fireboxes that are managed via Dimension Command. In the security cameras that Mike purchased however, the iframe was styled to load a known malicious web site into an effectively invisible 1 x 3 pixel window at the bottom of the web portal.
By using a hidden iframe, the browser loads the malicious web site without the victim’s knowledge. The malicious web site can then exploit unpatched browser vulnerabilities to preform attacks like stealing web authentication cookies or preforming drive-by-downloads of malware onto the client machine, all without any warning to the victim.
Manufacturer-delivered malware isn’t anything new. In 2014, TrapX discovered industrial barcode scanners delivering malware via infected firmware. In 2015, security researchers found adware performing man-in-the-middle attacks on HTTPS connections pre-installed on Lenovo laptops. Even way back in 2006, a small batch of iPods were shipped pre-infected with the RavMonE worm. How or why a product becomes compromised is not always easily answered. Was the manufacturer accidently infected by something that was then transferred to their product? Did an external attacker or insider specifically target the product? Or did the manufacturer itself knowingly deliver their product with this type of issue? One thing is obvious; we assume out new purchases will arrive in a clean state and bad actors exploit that trust.
As IoT devices continue to become more popular, opportunities for bad guys to launch attacks on your other network connected devices will increase. Consumers should make an effort to avoid purchasing products from non-reputable manufacturers or at least search online for reviews that might expose shady behavior. Administrators should continue following best practices of testing and monitoring new devices in a sandboxed environment before moving them into production where they could cause real harm. — Marc Laliberte