Understanding IoT Vulnerabilities: HTTP Response Splitting

With an estimate of more than 8 billion smart devices connected to the internet in 2017, security researchers have often found them to be vulnerable, remotely controllable by attackers, and even endangering user’s privacy. The nature of these vulnerabilities often varies in complexity, but the end result is usually the same: cyber criminals get to control them, access your personal data and files, and even use them to infect other devices that share the same network with your vulnerable smart device.

While the term “HTTP Response Splitting” might sound intimidating and really techy at first, how it actually works is really quite simple.

For example, imagine standing in line at a cafeteria. Your turn is up and you tell the lunch lady that you want mashed potatoes and gravy. Suddenly, the guy behind you starts talking to the lunch lady about peanut butter and jelly sandwiches and the fact that everyone secretly wants to have that for lunch. As she wasn’t really paying too much attention to either of you, you end up being served peanut butter and jelly sandwiches, even though you requested mashed potatoes and gravy.

In essence, both you and the guy behind you were requesting menu items from the lunch lady, but because she wasn’t able to properly distinguish between a joke and a valid request, everyone gets served peanut butter and jelly sandwiches.

Since most controlling an IoT usually involves a mobile application and a user interface, issuing commands to the actual device is not something that happens directly between the mobile application and the device.

For example, telling a smart vacuum cleaner to move left or right via a mobile app means the application will “talk” to the internet – or in this case, a web server that’s deployed on the actual IoT device – that will “relay” the command to the vacuum cleaner. That’s how users can control a smart vacuum cleaner from anywhere in the world, without actually being in the house, on the same network, or even in the same country.

While the benefits are straightforward, the downside is that sometimes these web servers may not be the most secure parties out there.

HTTP response splitting is somewhat similar to the cafeteria example, as the web servers usually know how to respond to a specifically formatted request – in our previous example, menu items. However, because they don’t properly sanitize requests input, they may end up executing a malicious command if it’s “wrapped” or formatted as a legitimate request. The end result could lead to “poisoning” responses to everyone requesting information from the web server – or everyone getting peanut butter and jelly sandwiches for lunch, per our example.

Attackers can use these HTTP vulnerabilities to trick web servers into redirecting users to fraudulent webpages, divulge authentication credentials, or even remotely connect to your device. Because most internet-of-things devices rely on internet-based web servers to enable users to control their smart devices from anywhere in the world, these vulnerabilities could allow cybercriminals to compromise all IoTs connected to that vulnerable web server.

It’s important to make sure that your devices are constantly updated with the latest security patches and updates, make sure that your smart devices are connected to a dedicated home network – and not the same network that’s shared by your laptops, smartphones, or tablets – and deploy a home network cybersecurity solution that’s able to detect any incoming malicious threats while scanning your devices for vulnerabilities.