How "Anyone" Can Hack Your Embedded Web Server

With easy to use hacking tools available on Github, anyone can hack your HTTP(S) enabled product. Follow along this tutorial to learn how shockingly easy it is to hack devices on your private network.

Hacking your embedded web server

Intercepting HTTP(S) traffic and acting as a man in the middle is very easy with network security tools such as Ettercap and Pineapple. We include HTTPS as "hackable" since many secure embedded web server enabled products ship with a non trusted certificate and acting as a man in the middle is just as easy as with HTTP when the certificate is not trusted. We will dive more into this further down.

A man in the middle can easily extract credentials from the embedded web server as we will show later in this tutorial, but an adversary can do so much more by injecting, for example, the Browser Exploitation Framework and potentially get into other sites such as the users bank account or other sensitive sites the user may currently be logged into. In other words, a non secure web server, including non trusted HTTPS web servers, opens the user to an array of attacks not limited to the embedded web server.

The following video, produced by Troy Hunt, a Microsoft Director, shows how important it is to HTTPS enable any web server in order to protect the user from cross-site scripting via, for example, the Browser Exploitation Framework. We recommend viewing the video in full as it is very informative.

Towards the end of the above video, Troy shows how HTTPS protects the site with a warning appearing in the browser when a man in the middle intercepts the HTTPS traffic. Most TLS enabled products ship with a non trusted certificate. TLS is rendered useless when the certificate is not trusted and when the user is forced to bypass the browser security in order to access the server. The user cannot differentiate between a man in the middle and the non trusted server's certificate. We will later show examples that simplify and automate the certificate management.

Man In The Middle Attacks On Private Networks

Most products with an embedded web server are deployed within private networks and most users would think a private network is secure, but what if an adversary gets into your building or your customer's building and uses a computer he finds in any cubicle to form his attack? All he would need is a USB stick and a custom Linux version. The adversary would not even need to enter the building if the private network is WiFi enabled and if he cracks the WiFi password. The Pineapple has built in Aircrack-ng and can be used to potentially crack your customer's WiFi network.

One of the easiest man in the middle attacks is to poison the ARP cache by using Ettercap. In short, ARP poisoning is the act of hijacking the address of a machine on your network. The basic principle behind ARP poisoning/spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP poisoning is pretty easy to perform as the following video shows:

The above video, produced by Loi Liang Yang, an information systems security professional, shows how easy it is to poison the ARP cache and act as a man in the middle.

How to Prevent Man-In-The-Middle

The obvious choice is to TLS enable the embedded web server product, but as explained above, most TLS enabled products ship with a self signed certificate, making the product no more secure than a product without TLS. A TLS enabled web server is only secure when the browser trusts the server certificate since a browser user cannot see the difference between a man-in-the-middle machine and the actual device if the certificate is not trusted.

It's all about the trust

In short, a certificate is trusted if:

  1. the browser has a copy of the signer of the server's certificate and
  2. the domain name in the server's signed certificate matches the domain name (URL).

The signer of the certificate is a so called Certificate Authority (CA) and this certificate must be pre-installed in the browser's certificate store.

See the Certificate Management Tutorial for a general introduction to Public Key Infrastructure (PKI) and Chain of Trust.

Creating trust the hard way or the easy way

If your customers are PKI experts, they may opt to operate as their own CA, by for example using the Certificate Management Tool, and create a complete chain of trust for the embedded web server enabled products they have deployed on their local network. However, PKI is fairly complicated so make sure to check out the article Automatic Certificate Management for Devices, which presents two solutions for enabling configuration-less installation of trusted Let's Encrypt signed certificates (See the video at the end of this page).

How To Hack This Web Page

We all love unicorns and rainbows, right?

As a simple man in the middle simulation, copy the JavaScript code below and paste the code into the Browser's console window. Most browsers let you open the console window by right clicking on the web page to bring up the context menu. Select "Inspect" in the menu and click the console tab. Paste the JavaScript code into the console to cornify the page. A new rainbow or unicorn will then appear on this page every five seconds as soon as you paste in the code.

var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.cornify.com/js/cornify.js'; document.head.appendChild(script); setInterval("cornify_add()", 5000);

Disclaimer: the above can be prevented by setting a "script-src" content security policy directive in the server's HTTP response.

Automatic Trust: Automatic installation of trusted certificates using Let's Encrypt

Thanks to the new Certificate Authority Let's Encrypt, it is now possible to completely automate the installation of free and trusted certificates for web servers deployed within private networks. See the article Why You Need Automatic Certificate Management for Intranet Web Servers for details.

The following video shows how SharkTrust automates the installation of a trusted Let's Encrypt signed certificate for a microcontroller.

Discover More:

Whether you are a maker, a startup, or a large business, we've got you covered. Please send us an email if you have any questions or if you are unsure on what product to select. We are here to help you find the best solution, and we'd really like to help you with your hardware/software project challenges.


OPC-UA

OPC-UA Client & Server

An easy to use OPC UA stack that enables bridging of OPC-UA enabled industrial products with cloud services, IT, and HTML5 user interfaces.

Edge Controller

Edge Controller

Use our user programmable Edge-Controller as a tool to accelerate development of the next generation industrial edge products and to facilitate rapid IoT and IIoT development.

On-Premises IoT

On-Premises IoT Platform

Learn how to use the Barracuda App Server as your On-Premises IoT Foundation.

Embedded Web Server

Barracuda Embedded Web Server

The compact Web Server C library is included in the Barracuda App Server protocol suite but can also be used standalone.

WebSocket Server

Microcontroller Friendly

The tiny Minnow Server enables modern web server user interfaces to be used as the graphical front end for tiny microcontrollers. Make sure to check out the reference design and the Minnow Server design guide.

WebDAV Server

Network File System

Why use FTP when you can use your device as a secure network drive.

HTTP Client

Secure HTTP Client Library

PikeHTTP is a compact and secure HTTP client C library that greatly simplifies the design of HTTP/REST style apps in C or C++.

WebSocket Client

Microcontroller Friendly

The embedded WebSocket C library lets developers design tiny and secure IoT applications based on the WebSocket protocol.

SMTP Client

Secure Embedded SMTP Library

Send alarms and other notifications from any microcontroller powered product.

Crypto Library

RayCrypto C Library

The RayCrypto engine is an extremely small and fast embedded crypto library designed specifically for embedded resource-constrained devices.

Embedded PKI Service

Automatic SSL Certificate Management for Devices

Real Time Logic's SharkTrust™ service is an automatic Public Key Infrastructure (PKI) solution for products containing an Embedded Web Server.

Modbus

Modbus TCP client

The Modbus client enables bridging of Modbus enabled industrial products with modern IoT devices and HTML5 powered HMIs.

Posted in Whitepapers