Understanding IoT Vulnerabilities: File Inclusion

While the term “file inclusion” is somewhat self-explanatory – in the sense that it describes the ability to include a file – this is actually a common attack vector that an outsider uses to compromise IoT device security. Because some smart things often have lacking security, cybercriminals can sometimes control these devices remotely, by exploiting vulnerabilities in how their accompanying applications connect to the internet.

To be precise, smart things usually have an application that enables users to issue commands to devices from anywhere in the world. However, since the smart device and the user don’t actually share the same physical network – of course, when the user is not at home – this means that a third-party need to relay user instructions to your internet connected IoT.

This is where web servers come in. The web servers can either be hosted anywhere on the internet, just like a regular website that’s only accessible to authenticated users, or it can be hosted on the actual smart device that’s connected to the internet. Think of web servers as a communication intermediary that mitigates the commands and information between your smart device and your smartphone. The companion applications are designed to read and send content to and from those web servers. Since web servers act pretty much like any other internet-facing website, some of them are not properly configured or secured, meaning that cybercriminals can find vulnerabilities in them and either impersonate the user application or collect sensitive personal user data that’s stored on the web server.

In more severe cases, cybercriminals can even remotely control your smart device by compromising its web server, getting it to perform malicious actions ranging from taking down websites or even use it to compromise other network device, such as your laptop, smartphone, or other network-connected IoTs.

File inclusion is basically the ability to trick the web server into executing a rogue file, provided by the attacker, without checking its validity. Attackers can use a web server’s URL address and trick it into either executing files that are already stored on the server, or load malicious files provided by the attacker.

If local file inclusion (LFI) is performed, the webserver can reveal user accounts and passwords, as well as various configurations that enable the attacker to take control and alter the web server controlling the IoT device.

Let’s assume that the web server’s name is https://example.com. A local file inclusion would look like this: https://example.com/?module=/etc/passwd, where the “?module=/etc/passwd” instruction appended at the end of the URL tricks the web server into revealing a locally stored file that contains all user passwords. Since the file was already on the web server, the attacker simply requested it to be displayed.

There’s also remote file inclusion (RFI) that enable attacker to load their own malicious file on the web server, and trick it to be executed. The malicious file can contain anything from malware designed to compromise user devices to malware designed to compromise the webserver itself and take control of all IoTs that are connected to it.

Using the previous example, if the attacker were to send the “https://example.com/?module=uploads/image.gif” to the web server, the “image.gif” file will be uploaded to the webserver automatically, even if he is not authenticated or authorized to upload anything. The file could potentially contain malicious code that once on the web server will be executed.

Of course, these examples only illustrate basic capabilities of the File Inclusion Attack, but threat actors can abuse the vulnerability to control dozens, thousands, of even hundreds of thousands of IoTs that connect to that respective web server.

It’s really important for IoT manufacturers to constantly check the security of their applications, devices, and internet-facing IoTs that host web servers, as to protect the privacy and security of their users. When purchasing a smart device, users should consider researching if manufacturers have a strong vulnerability patching program and when was the last security update issued for their smart device.

Using an integrated home network security solution is also recommend, as it can help identify attackers trying to trick your device into performing nefarious actions. More than that, it will also ensure that whenever a new security update is available, you’ll instantly receive a notification so that you can immediately install it and prevent cybercriminals from compromising your security.