Understanding IoT Vulnerabilities: Directory Traversal

With a large number of IoTs currently in the wild, security researchers have expressed – on numerous occasions – serious concerns regarding the security of these devices and how easily cybercriminals can sometimes compromise a users’ privacy, sensitive data, and even the entire home network.

One vulnerability that’s in the cybercriminals’ arsenal is named “directory traversal” and it impacts the webserver to which users connect to via a mobile application to send out instructions to smart devices, regardless of their location in the world. Because web servers play a vital role in managing smart things, compromising those enables cybercriminals to view sensitive information about users or remotely control smart devices that connect to the web server.

However, there are instances where the web server is installed on the actual smart device that’s connected to the internet. This means that if an attacker can find the device’s IP address, he can start exploiting the directory traversal vulnerability on the device, essentially remotely compromising it.

Directory traversal is a type of HTTP exploit that allows attackers to gain unauthorized access to directories, files, and even commands that would otherwise be restricted to regular users. For example, the average users should only be able to access information in the web server’s root directory, where the type of information hosted there revolves around web pages and non-sensitive data.

A directory traversal attack is usually performed via web browsers, by manipulating the URL (web address) using a sequence of special characters – such as “../” – to bypass security filters and access directories and files outside the web root directory.

For instance, whenever users visit the www.example.com/index.html website, they’ll view the domain’s homepage, represented by the “index.html” file. This file – along with all the other webpages belonging to the same website – is located in the webserver’s root directory. If the web server is vulnerable to a directory traversal attack, a cybercriminal could potentially escape the webserver’s root directory and browser other directories of the web server, by typing in the address bar of their web browser something along the lines of www.example.com/../../../etc/passwd. This will display the password file from the server, information that shouldn’t be accessible.

The “../”directive is commonly used to move up one directory, essentially enabling the attacker to move around the directory tree of the web server, searching for sensitive files. Other escape codes, such as “%2e%2e/”, “%2e%2e%2f” or “..%2f”, “%2e%2e%5c” can also be used, as they’re usually decoded by the webserver into the same “../” directive.

The directory traversal attack does involve a somewhat trial and error approach, as cybercriminals don’t have prior knowledge of the configuration of the directory tree. For example, to access sensitive files, they may need to move several directories up from the initial root directory.

Imagine going into an apartment building, walking a long corridor with doors on both sides, and trying to reach apartment 17 where you know your friend is expecting you. Getting into the apartment building is unrestricted and since you know that apartment 17 is where you need to go, you don’t bother trying to check if apartments 1 to 16 are unlocked or if there’s anyone home. Cybercriminals on the other hand do. While they know that apartment 17 is where they need to reach  (and where they actually are allowed to go), they’ll try to check if any other door is open, essentially knocking and opening the door at the same time as they move up. Of course, if the doors are not locked, they’ll get in, snoop around, and get whatever is of value.

Protecting against this type of attack is a matter of validating the URL that gets received by the web server, before executing it. IoT manufacturers that host web servers that enable communication with their smart devices, need to block URLs that contain commands or escape codes, to prevent attackers from performing a directory traversal attack. Installing the latest software updates and patches is also a great security practice, as some might contain fixes that prevent this exact type of attack.

Since this is not a specific IoT device vulnerability, but a web server vulnerability, users have little control over securing their device. However, they need to constantly check for security updates both for their device and the accompanying application, as these could include fixes that address the directory traversal vulnerability. Additionally, deploying a home network cybersecurity solution able to constantly scan for vulnerabilities within their smart devices and notify users whenever new security updates are available, is also more than recommended.