Vulnerabilities / Threats
9/26/2011
10:01 AM
Connect Directly
RSS
E-Mail
50%
50%

Corporate Espionage's New Friend: Embedded Web Servers

Many types of Web-connected photocopiers, scanners, and VoIP servers have no default passwords or other security enabled to stop remote eavesdropping.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Numerous models of printers, photocopiers, and voice over IP (VoIP) systems are Internet-connected. But their embedded Web servers often use well-known default passwords or firmware that has known vulnerabilities, either of which could be used by remote eavesdroppers to intercept internal communications.

That warning was issued by Michael Sutton, VP of security research for Web security firm Zscaler Labs, last month at the Black Hat security conference, in a session titled "Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers." Sutton presented the results of his research, based on using multiple search engines to fingerprint more than one million Web servers, as well as identifying--as much as possible--which of those servers are embedded. Interestingly, Google search appears to suppress results for embedded Web servers. But other search engines, such as Shodan, do not.

Of the one million Web servers fingerprinted, 34.2% ran Microsoft IIS, and 33.6% ran Apache. Beyond that, there were 2,737 unique server headers on the remaining machines, and "a lot of that is embedded Web servers," said Sutton. Many of those servers also lack any security, such as requiring a password to access stored documents or VoIP calls. As a result, Sutton was able to freely download numerous types of documents, including voting advice from a pro-Tea Party organization, copies of signed checks, and scanned technical reports. "My absolute favorite," he said, "is documentation letting us know that Jim is actually a certified mold inspector."

[ Read our exclusive research on Why Identity Management Is Critical Right Now ]

While that recovered information isn't necessarily earth-shattering, Sutton said that Web-accessible photocopiers and the like are essentially repositories of any recent documents or communications of interest, and thus could serve as a competitive intelligence treasure trove. Some devices even offer would-be attackers time-saving shortcuts. Certain models of Sharp photocopiers, for example, can be set to upload all scanned or copied documents to an external site via FTP, or email them to an outside email address. Meanwhile, some HP all-in-one printers have a feature called Webscan, which allows anyone with a browser to scan and download whatever is on the scanner bed.

Interestingly, the most-prevalent Web-connected devices Sutton found were security cameras, including babycams. "I found a lot of McDonald's Web cams; I don't know why," he said. Most cameras, however, appeared to have been set up to monitor employees.

Of all the devices fingerprinted, however, "the ones that are most concerning are the Ricoh copiers," said Sutton. In particular, 2% of all of the embedded Web servers he found were Ricoh copiers that use a default password of "admin." While the devices offer SSH encryption, many also ran services such as telnet, which an attacker could easily enable and then use to directly access the machines at a later date. Some of the machines also make recently scanned documents available for immediate download in TIFF or PDF format.

Going forward, Sutton said he's hoping to amass better information--which he'll share freely--for fingerprinting every type of embedded Web server (EWS) he finds, in part to help businesses understand which internal devices may have embedded Web servers with known vulnerabilities. To that end, he's released BREWS (for basic request embedded Web server), which he described as a "crowd-sourcing initiative to build a global database of EWS fingerprinting data."

But what can be done to EWS vulnerabilities now? First, embedded Web servers need to be included in corporate patch management plans, and vendors must push patches. "The hardware industry is at least a decade behind the software industry in terms of security," said Sutton. "We definitely need to move to a system that's more common, like Apple TV, where new patches just get pushed to you." For example, one of the most widely used embedded Web servers is Allegro RomPager, which its manufacturer says runs in 75 million devices. During his research, Sutton found at least 3,000 devices running a version of RomPager that contains a known vulnerability that could be used to crash the server.

Next, devices need to ship with security-compromising features, such as the ability to automatically upload scanned documents to an FTP site, disabled. "I really place the blame on the vendors," said Sutton. "This functionality often serves no useful purpose, and it really doesn't need to be there." When it is useful, however, such functionality should be enabled by default, using a unique password such as the serial number of the device's MAC address.

Until those changes occur, corporate IT managers should regard anything with an embedded Web server as a potential security threat, and secure it appropriately. "In the enterprise ... you need to treat a photocopier or any network-enabled device the same way as a computer," said Sutton.

At the 2011 InformationWeek 500 Virtual Conference, C-level executives from leading global companies will gather to discuss how their organizations are turbo-charging business execution and growth. This virtual event happens Oct. 6. Find out more.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.