Embedded and Vulnerable

Embedded web browsers

Like billions of people worldwide, you probably use a web browser every day, like Chrome, Firefox, or Safari on your computer or phone. However, browsers are not just standalone applications anymore. They are increasingly integrated into many other products, from smart TVs and e-readers to gaming consoles and even cars. These are commonly known as embedded or integrated browsers. While they look and feel like regular browsers, a crucial question remains: are they as secure?

This question led us to conduct the first large-scale evaluation of embedded browsers, which revealed that most embedded browsers in use today are outdated and expose their users to significant security risks. Our findings show that embedded browsers should be used with caution, or in some cases even avoided altogether.

Large-scale crowdsourcing

Given the vast diversity of consumer devices, conducting our study by purchasing every device on the market was not feasible. Instead, we developed a crowdsourcing website called CheckEngine, inviting users to assess the security of embedded browsers on their own devices.

Users simply visited our website to enroll their product's embedded browser and our automated scripts would make a security assessment. This assessment focuses on two key aspects:

  • Security Policies: Are modern browser security policies enabled and properly enforced?
  • Browser Age: Is the browser up-to-date, or does it run an outdated and vulnerable version?

Through this effort, we evaluated 76 browsers embedded in smart TVs, gaming consoles, e-readers, cars and other devices.

We are continuing this research, and encourage you to still enroll your own devices to help us gain more insights!

What did we find?

Unfortunately, our findings reveal an alarming deficiency in the security of embedded browsers.

  • Severely outdated: Many devices run browsers that are dangerously old. For instance, 24 of the 35 smart TVs and all 5 e-readers in the study had browsers that were at least three years out of date. Standalone browsers like Chrome and Firefox, by contrast, are updated automatically every month.
  • Outdated on day one: Shockingly, some products are sold with browsers that are already obsolete. The study found eight products that shipped with a browser engine that was over three years old at the time the product was first released to the market. This puts even the earliest buyers at immediate risk.
  • Software updates can be deceptive: Even when a device receives regular software updates, the embedded browser is often left untouched. We found that browser updates typically only happened during major system-wide releases, not with smaller security patches. This can create a false sense of security for users who see their device updating frequently.
  • Exploitable flaws: These outdated browsers are not just a theoretical concern. By obtaining several of these products and testing them in our lab, we were able to reproduce publicly known vulnerabilities, some of which have earned bug bounties of up to $3,000. Additionally, we identified insecure browser configurations, such as disabling the browser sandbox, which is a widely considered unsafe practice.

In summary, our findings reveal that even the latest devices you purchased yesterday may contain an outdated and vulnerable browser, and may put you at risk.

Questions and answers

Who conducted this research?

This research was conducted by researchers at the DistriNet Research Unit at KU Leuven, and was part of a master's thesis.

How can I tell which products come with a secure embedded browser?

That's one of the core problems—you often cannot know before purchase.

Most vendors do not clearly disclose which browser their product ships with, or whether it receives security updates. We found that even vendors who advertise frequent updates often fail to provide adequate browser security updates.

Even if you own the device, it often is not straightforward to find out which browser version is embedded. If you cannot easily find the embedded browser version in its settings, try these steps:

  1. Use the embedded browser to visit chrome://version. If it's Chromium-based (most are) and the vendor did not disable this page, the version appears on the first line.
  2. Visit WhatIsMyBrowser.com via the embedded browser. It estimates your browser version based on various parameters, usually accurately for recent browsers.

If you are still unable to determine the embedded browser's version, it is safest to assume it is outdated and potentially vulnerable.

I know my embedded browser's version, is it outdated or vulnerable?

WhatIsMyBrowser.com often indicates if a browser version is outdated. If not, you can check browser's release notes or search online for your browser's release date. For Chromium-based browsers—which most embedded browsers are—see the Chrome release notes.

Technically, even a browser outdated by only a couple of weeks can be vulnerable. It's best to always use the latest browser version available.

What should I do if my device's embedded browser is outdated?

Don't use it. Outdated browsers are vulnerable and can put you at risk online.

Check if you can install a secure browser like Chrome or Firefox on your device. Devices running Android often allow installation via the Google Play Store.

If installation of a secure browser is not possible, do not use the device for online browsing at all. Instead, use a secure browser on another device like your smartphone or computer.

What risks come with using an outdated browser?

Outdated browsers expose you to known security flaws fixed that have been fixed in newer versions. Attackers can exploit these to carry out harmful actions like phishing, hijacking your login sessions, or running malicious software on your device.

During our research, we found fully functional attacks just by browsing the Web. If we could do this, so could a malicious attacker with harmful intent. For example, we managed to spoof the address shown in the address bar on one embedded browser, which could be used to create more convincing phishing scams.

This is why you should never use an outdated browser.

Why don't vendors update embedded browsers regularly?

This can be attributed to several factors:

  • In some devices, embedded browsers may be tightly integrated with the device's UI components, making updates more costly because they might incur additional development costs. As a result, vendors might defer browser updates. Separating the user-facing browser from the browser engine that renders UI components could help solve this problem.
  • Some vendors may simply be unaware of the security implications. Increasing awareness of these issues could help to address them more proactively.
  • Unfortunately, some vendors prioritize other goals over security and privacy. Introducing economic or regulatory incentives could compel vendors to take their users' security and privacy more seriously.
What steps have you taken to address the problem?

We responsibly disclosed all security issues to the affected vendors of products that we obtained and tested in our lab. For example, AMD responded promptly and updated their embedded browser.

We reported unresponsive vendors to the Centre for Cybersecurity Belgium and the American Federal Trade Commission. The Centre for Cybersecurity Belgium directed us to relevant organizations that might assist, while unfortunately, we have yet to receive any response from the Federal Trade Commission. We continue to engage with various organizations at this time.

Finally, by hosting this website and engaging with media, we aim to raise public awareness. You can also help by sharing our research.

How does this research relate to the EU Cyber Resilience Act?

The EU Cyber Resilience Act requires manufacturers and vendors to ensure robust cybersecurity throughout the entire lifecycle of products. This includes mandatory requirements for proper vulnerability management and timely security updates. Although the Act entered into force in December 2024, the majority of vendor obligations will apply from December 2027.

Our research shows that many vendors are currently not meeting these requirements, even when examining just the embedded browsers of shipped products. We aim to provide ongoing insight into how vendors improve (or fail to improve) their cybersecurity practices in relation to embedded browsers ahead of the Act's full implementation. As such, we continue to collect new product enrollments.

Where can I find more information?

For more information, we refer to the full paper and presentation.