Many modern appliances, consumer devices, and other devices include embedded systems that are configured to perform one or more dedicated functions. However, most embedded systems of such devices do not include networking capabilities, remote interface capabilities, remote control capabilities, or related capabilities. Designing such functionality into an embedded system, designing application programming interfaces (APIs) for accessing such functionality, designing web services capable of communicating with and controlling the embedded system via this added functionality, and designing applications for taking advantage of this functionality can consume considerable resources of the device manufacturer.
Some consumer devices such as routers, network storage devices and so on provide an interface that enables these devices to be accessed over a local area network (LAN) via a remote interface. The remote interface is typically accessible using a standard web browser. Standard security practices for the remote interfaces are either non-existent or insecure. For example, one common practice is to configure the device with a permanent password and to identify that password on a sticker attached to the device. Any individual who knows the password can access the device. As a result, security leaks may occur through the manufacturing and distribution chain of the device. Additionally, once the password is compromised, security of the device is compromised for the life time of that device. Accordingly, typical security solutions for the remote interfaces of such conventional consumer devices often introduce a security hole.