Embedded web browsers
Like billions of people worldwide, you probably use a web browser every day, like Chrome, Firefox, or Safari on your computer or phone. However, browsers are not just standalone applications anymore. They are increasingly integrated into many other products, from smart TVs and e-readers to gaming consoles and even cars. These are commonly known as embedded or integrated browsers. While they look and feel like regular browsers, a crucial question remains: are they as secure?
This question led us, researchers at the DistriNet Research Unit of KU Leuven, to conduct the first large-scale evaluation of embedded browsers. Our findings reveal that many are outdated and pose significant security risks. Embedded browsers should be used with caution, and in many cases even avoided entirely.
Large-scale crowdsourcing
Given the wide variety of devices with embedded browsers, testing every product on the market was unfeasible. Instead, we launched CheckEngine, a crowdsourcing platform inviting users to assess the security of their embedded browsers.
Users simply visit our site to register their device's embedded browser, and our automated tools perform security evaluations. The assessment focuses on two main aspects:
- Security Policies: Are modern security policies enabled and properly enforced?
- Browser Age: Is the browser up-to-date, or is it outdated and vulnerable?
So far, we have evaluated 76 embedded browsers across smart TVs, gaming consoles, e-readers, cars, and more.
This research is ongoing. We encourage you to enroll your own devices to help us gather more insights!
What did we find?
Unfortunately, our research uncovered various security flaws in embedded browsers.
- Severely outdated: Many devices use browsers that are alarmingly old. For example, 24 of the 35 smart TVs and all 5 e-readers we studied had browsers at least three years behind current versions. In contrast, popular standalone browsers like Chrome and Firefox receive automatic updates monthly.
- Outdated on day one: Shockingly, some products are sold with browsers already obsolete at release. For example, we identified eight products shipping with browsers over three years old at launch, even exposing early buyers to immediate risks.
- Software updates can be deceptive: Even when devices receive frequent software updates, the embedded browser often remains outdated. Browser updates tend to occur only during major system upgrades, and not with smaller patches, potentially giving users a false sense of security. Moreover, our study uncovered products shipped with severly outdated browsers, where vendors misleadingly advertised "free security updates" do not update the browser.
- Exploitable flaws: These outdated browsers aren't just a theoretical concern. By testing several products in our lab, we reproduced known vulnerabilities—some with bug bounties up to $3,000. We also discovered insecure configurations like disabled browser sandboxes, which are widely recognized as unsafe practices.
In short, even the newest devices you purchase today may contain outdated, vulnerable browsers that put you at risk.
Questions and answers
Who conducted this research?
How can I tell if a product has a secure embedded browser?
That's one of the core issues—this information is often unclear before and even after purchase.
Most vendors do not disclose which browser their product uses or whether it receives security updates. Our research shows that even advertised frequent updates often fail to maintain browser security.
If you own the device, finding the embedded browser version may not be straightforward. If you cannot easily find the embedded browser version on the settings page, try these methods:
- Participate in our crowdsourcing study here, it only takes a few minutes. You will receive more information about your browser at the end, and help us gather more insights on the security of embedded browsers.
- Visit WhatIsMyBrowser.com with the embedded browser, to check its version and see how outdated it may be.
If you still cannot determine the version, it's safest to assume the browser is outdated and potentially vulnerable.
I know my embedded browser's version. How can I tell if it's outdated or vulnerable?
You can participate in our crowdsourcing study or visit WhatIsMyBrowser.com to check your browser's status. Sometimes these tools may not provide a clear answer; especially if the vendor has heavily customized the browser, making it hard to link to known versions. In such cases, this is usually a bad sign that your browser may be outdated and vulnerable.
Alternatively, check the browser vendor's website for version release information. For Chromium-based browsers, which most embedded browsers are, check the Chrome release notes.
Technically, even browsers outdated by just a few weeks can contain unpatched vulnerabilities that attackers could exploit. Always use the latest version for the best protection. If you cannot verify your browser's update status, it's safest to assume it is outdated.
What should I do if my embedded browser is outdated?
Stop using it. Outdated browsers pose serious security risks.
Check if your device allows installing secure browsers like Chrome or Firefox. Devices running Android often allow installation via the Google Play Store.
If installing a secure browser isn't possible, avoid using the device for online browsing. Use a secure browser on another device such as a smartphone or computer.
What risks come with using an outdated browser?
Outdated browsers contain known vulnerabilities that attackers can exploit to perform harmful actions such as phishing, session hijacking, data theft, or running malicious code.
Our research demonstrated functional attacks that can be launched by a malicious website. For example, we spoofed an address bar in one embedded browser, enabling more convincing phishing scams.
This is why you should never use an outdated browser.
Why don't vendors update embedded browsers regularly?
This is due to several reasons:
- In some devices, embedded browsers are tightly integrated with UI components, making updates costly because they might incur additional development cost. As a result, this can lead vendors to delay browser updates. Separating UI and the browser engine responsible for rendering UI components could solve this.
- Some vendors may simply be unaware of the security implications. Increasing awareness would help to address this issue.
- Other vendors prioritize economic or other goals over the security and privacy of their customers. Regulatory or economic incentives could compel vendors to implement better practices.
What steps have you taken to address this issue?
We responsibly disclosed security flaws to affected vendors of products that we obtained and tested in our lab. For example, AMD responded promptly and updated their embedded browser.
We reported unresponsive vendors to the Centre for Cybersecurity Belgium and the American Federal Trade Commission. While The Centre for Cybersecurity facilitated engagement with relevant parties, the FTC has yet to respond. We continue to engage with various organizations that might help to raise awareness and compel vendors to improve their security practices.
Finally, by hosting this website and engaging with media, we aim to raise public awareness. You can also help by sharing our research.
How does this research relate to the EU Cyber Resilience Act?
The EU Cyber Resilience Act requires manufacturers and vendors to ensure robust cybersecurity throughout a product's the entire lifecycle, including vulnerability management and timely security updates. Although effective from December 2024, full vendor obligations begin in December 2027.
Our research shows that many vendors do not yet comply, even when examining just the embedded browsers of products. We aim to provide ongoing insights into how vendors improve (or fail to improve) their cybersecurity practices in relation to embedded browsers ahead of the Act's full implementation. As such, we continue to monitor progress, encouraging new product enrollments.