Member-only story
Is your toaster keeping you up at night? — OWASP 2014-I1 Insecure Web Interface
Introduction
When you first buy a device, you might need to configure it. This can be done in many ways but the one we want to zoom in to today is the common insecure web interface. This might not seem like a big problem but anything connected to the internet should be very secure against attacks and even though the device might be secured with a login page, that might not be enough.
Overview
Exploitability: Easy — Prevalence: Common — Detectability: Easy — Impact: Severe
Threat Agents
With any web interface, we need to closely consider who can access it. Bad actors from inside or outside of your network could be scanning for a way to get in.
Attack vectors
Insecure web pages come in many flavours and it can be as easy as using weak default credentials or even just always re-using the same passwords through manufacturers are getting wiser to this and they are introducing passwords based on the serial numbers of the devices. This still could spell disaster however if they send their passwords over unencrypted channels. All of this is made worse by the fact attacks can come from internal networks or even external networks since…
