XCS based hidden firmware modification on embedded devices

Most contemporary embedded devices, such as wireless routers, digital cameras, and digital photo frames, have Web based management interfaces that allow an administrator to perform management tasks on the device from a Web browser connecting to the device´s Web server. It has been shown earlier that many of these devices are vulnerable to Cross Site Scripting type attacks whereby some malicious JavaScript code can be injected in the Web pages stored on the device. When such infected pages are opened by the administrator, the malicious script is executed with admin privileges, and it can potentially fully compromise the embedded device. In this paper, we demonstrate that such full compromise of embedded devices is indeed possible in practice by showing how the injected malicious script can install an arbitrarily modified firmware on the device. We present the general framework of this kind of hidden firmware modification attacks, and report on our proof-of-concept implementation that targets Planex MZK-W04NU wireless routers. In addition, we also show how this vulnerability can be exploited to install botnet clients on embedded devices, and by doing so, to create embedded botnets. Our work proves that the risk of this type of attacks on embedded systems is considerable, and it will further increase in the future.