Title | ||
---|---|---|
Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT Devices |
Abstract | ||
---|---|---|
ABSTRACTRecent years have seen increased attacks targeting embedded web applications of IoT devices. An important target of such attacks is the hidden interface of embedded web applications, which employs no protection but exposes security-critical actions and sensitive information to illegitimate users. With the severity and the pervasiveness of this issue, it is crucial to identify the vulnerable hidden interfaces, shed light on best practices and raise public awareness. In this paper, we present, a new approach that automatically exposes hidden web interfaces of IoT devices. Specifically, constructs probing requests through firmware analysis to test physical devices, and narrows down the scope of identification by filtering out irrelevant requests and interfaces through differential analysis. It pinpoints hidden interfaces by attaching various device-setting parameters in the probing requests and matching keywords of sensitive information. Evaluated on 17 IoT devices, successfully identified 44 vulnerabilities, including 43 previously unknown ones. also demonstrates surprising efficiency: on average, it delivered 151438 probing requests, taking only 47 minutes on each target device. |
Year | DOI | Venue |
---|---|---|
2022 | 10.1145/3485447.3512213 | International World Wide Web Conference |
Keywords | DocType | Citations |
Vulnerability detection, authentication, web security, Internet of Things | Conference | 0 |
PageRank | References | Authors |
0.34 | 0 | 8 |
Name | Order | Citations | PageRank |
---|---|---|---|
Wei Xie | 1 | 3 | 2.07 |
Jiongyi Chen | 2 | 0 | 0.34 |
Zhenhua Wang | 3 | 0 | 0.68 |
Chao Feng | 4 | 0 | 0.34 |
Enze Wang | 5 | 0 | 0.68 |
Yifei Gao | 6 | 0 | 0.68 |
Baosheng Wang | 7 | 3 | 5.81 |
Kai Lu | 8 | 465 | 57.59 |