Introduction

When you first buy a device, you might need to configure it. This can be done in many ways but the one we want to zoom in to today is the common insecure web interface. This might not seem like a big problem but anything connected to the internet should be very secure against attacks and even though the device might be secured with a login page, that might not be enough.

Overview

Threat Agents	With any web interface, we need to closely consider who can access it. Bad actors from inside or outside of your network could be scanning for a way to get in.
Attack vectors	Insecure web pages come in many flavors and it can be as easy as using weak default credentials or even just always re-using the same passwords through manufacturers are getting wiser to this and they are introducing passwords based on the serial numbers of the devices. This still could spell disaster however if they send their passwords over unencrypted channels. All of this is made worse by the fact attacks can come from internal networks or even external networks since some of these devices are connected to the internet.
Security Weakness	Many different issues can claim home in this category. Account enumeration, improper rate-limiting and even exposing the web interface when it should not be public can belong to this vulnerability types. This issue can be easily spotted by automated tooling but it should always be used in conjunction with manual testing.
Technical impact	In the worst case you will wake up at 3AM with your toaster yelling at you but other issues can arise which mostly involve the users data such as corruption.
Business impact	This issue can spell disaster for any brand, the PR nightmare that would come from insecure devices is something that can kill a company but even worse, it could kill a human. What would the impact be if a smart oven turned on at 4 AM burning down a house?

Exploitability	Easy
Prevalence	Common
Detectability	Easy
Impact	Severe

Steps to secure yourself

Luckily, OWASP has a few pointers to know if your web interface is secure or not. We can ask ourselves these questions and if the answer is no to any of these we might have the answer to our initial question right there.

We have to ask ourselves if the password being used is different for all of the devices
We have to ask ourselves if the password can be changed
We have to ask ourselves if the sufficient lockout mechanisms are in place when incorrect passwords are used
We have to ask ourselves whether it’s possible to enumerate user accounts by sending a forgot password request for example
We have to check if the interface is free from exploits such as SQLi, XSS or others

The properties of a secure web interface

Ideally, the web interface requires us to change our passwords and even our usernames during the initial setup
A good web interface has a good password recovery mechanism. We must ensure usernames are not easy to enumerate.
Good web interfaces validate and filter all user input. This protects against attacks such as SQLi and XSS
Good web interfaces communicate over a secure connection and do not leak the username or the password
Strong password policies are enforced to ensure password brute-forcing is not an easy venture
proper rate-limiting controls are implemented