Embedded Web Servers Open to Hackers

Monday, July 25, 2011 @ 01:07 PM gHale

Embedded web servers in digital scanners, office printers, VoIP systems, storage devices, and other equipment are open for attack.

Ricoh and Sharp copiers, HP scanners, and Snom voice-over-IP (VoIP) phones were the most commonly discovered devices, all accessible via the Internet, said Michael Sutton, vice president of security research for Zscaler Labs.

Botnet’s Fall Leaves Malware-Free Zone
Microsoft Updates Rootkit Removal Plan
‘Indestructible’ Botnet Making Rounds
Botnet Detection via a Smart DNS

Embedded Web servers with little or no security often get misconfigured when installed, Sutton said. Most likely, the potential victims are small to midsize businesses or consumers with less technical expertise who misconfigure their devices and have no idea they’re showing up online.

Sutton used Amazon EC2 computing resources to constantly scan large blocks of addresses and to detect any embedded Web servers.

Sharp and Ricoh copiers digitally archive past photocopies so if that feature is running and the copier is sitting on the Net unsecured, an attacker could retrieve any previously photocopied documents, he said. Even the fax-forwarding feature in some HP scanners could suffer an exploit if the scanner were open to the Internet. In that case, an attacker could access any faxed documents to the user by having them forwarded to his fax machine.

The Snom VoIP systems Sutton found in his Internet scans could be vulnerable to eavesdropping or pilfered caller information. “Some of their VoIP systems have a kind of admin debugging/packet capture feature. If [the VoIP system is] accessible, you can log in, turn it on, capture traffic, download PCAPs … and with Wireshark, you can eavesdrop on organizations,” Sutton said.

Sutton said he will release a free, new tool he developed to help organizations scan for these types of vulnerable devices in their networks. Called BREWS, it’s basically a Web-based and automated version of the scripts he wrote to scan for server headers.

He doesn’t consider Google-hacking an easy or effective way to find embedded servers. Scanning for headers is a better approach, he said. “Embedded Web servers have different data than a standard Web server: They are very static and tend not to change. There are handful of server headers for HP printers and scanners,” he said.

The BREWS tool also gathers and compiles global fingerprint data on these embedded Web devices. “We don’t have good information to find these devices. Typically, security scanners focus on Web application servers, not on these” embedded ones, Sutton said.

“We want to encourage people to scan their own networks … and then it’s submitted back to a centralized database, and we’ll share the fingerprinting data,” he said. Fingerprinting those devices has been difficult because many sit on LANs and can’t undergo an external scan, he said.

Leave a Reply

You must be logged in to post a comment.