Unauthorized Access Detection for Network Device Firmware WEB Pages

Abstract

WEB technology is utilized for the configuration, interaction, and management of network equipment, which has become ubiquitous in the intelligent industry and consumer electronics field. Unauthorized access on WEB allows unauthorized users to access authorized information, causing security vulnerabilities such as information leakage and command execution. However, commonly used vulnerability detection techniques for WEB unauthorized access face increasing challenges and more efficiently identify potentially sensitive pages. We propose WEBUAD, a WEB Unauthorized Access Detection framework, for the vulnerability detection of WEB service IoT network devices. WEBUAD utilizes the depth-first search algorithm to fully mine available information on device firmware and generate a potential-visit page set as well as a similarity–matching algorithm of machine learning to calculate the similarity of the responses of a web request. Finally, we evaluate WEBUAD on 9 real physical devices from four vendors and 190 device firmware from seven vendors. The result shows that compared with the state-of-the-art tool such as IoTScope, WEBUAD discovered 5007 potentially available pages, of which 658 were accessible and 9 sensitive pages existed, taking 50 s. Furthermore, WEBUAD exposed 13 security-critical vulnerabilities. Our approach can be used to automate the discovery of the WEB unauthorized access vulnerabilities of IoT devices.