Understanding IoT Vulnerabilities: Cross-site request forgery or The Ill-Intended Neighboring Browser Tab
The online world is more than shiny websites with cool layouts and easy-to-use web services. Underneath the surface is code that automates your interactions, and validates connections and requests. The underlying mechanism gets more complex when various services run in the same environment, like a web browser, where different tabs provide access to distinct destinations.
Failure by service providers to properly check the legitimacy of a request may expose users to a type of attack known as Cross-Site Request Forgery. The attack works by using a website’s ability to issue a solicitation to another website or web application. CSRF is similar to call forwarding, where the connection between the caller and the person being called runs through another phone. A CSRF attack, though, does not show the original source to the receiver and the request appears to come from the legitimate website acting as a forwarder.
To keep the explanation simple, think of a hotel with a faulty communication system to the reception desk that allows calls to run through any room before they reach the concierge. A fraudster aware of the weakness could route a call to the front desk through another room and pretend they were the legitimate guest. Under these conditions, the fraudster could ask for hotel services to his room and put it all on the victim’s tab.
In a widely circulated example demonstrating the power of this attack method, an online banking service plays the part of the target, and receives a forged request to transfer funds from a victim who is already logged into their account. Without protection against CSRF, the transfer goes through completely invisible when the victim clicks on a link that loads code with the money-transfer command.
Although CSRF is not a problem for regular websites and online services that implement standard security measures, the method can be quite successful against Internet-of-Things products that offer browser-based configuration options. Many products, such as routers, network-attached storage (NAS) devices, media player boxes, IP cameras and digital video recorders, are not immune to this type of attack. A hacker could lure a victim into visiting a webpage that ultimately re-configures a vulnerable device to the advantage of the perpetrator.
Under regular circumstances, users have no way to learn of the unauthorized changes or that their products are vulnerable so they can take preventative actions, and keeping up with security news is also impractical for most individuals. But delegating all this to a specialized tool like Bitdefender Home Scanner, able to list known vulnerabilities in devices on the network, should help the user raise the necessary defenses, such as installing an updated firmware that fixes the problem.
Stopping traffic to malicious web locations is a task for Bitdefender BOX, a piece of hardware that can protect all smart gadgets in the house. BOX actively scans for weaknesses relating to network security and checks if the connections to the internet lead to bad websites. The product is specifically designed to protect IoT products on the home network.Bitdefender BOX CSRF Home Scanner HSBox understanding IoT vulnerabilities vulnerability