Most devices like printers, scanners, and VoIP systems nowadays have embedded Web servers for easy administration. Unfortunately, many of these devices are mostly unprotected due to lapses in configuration. Some servers are not properly configured and can be accessed using the default user name and password or are left with no means of protection. What’s worse is that these lapses allow the embedded Web servers to be available to the general public, potentially leading to unwanted information disclosure.
This is basically what Michael Sutton showed during the “Black Hat USA 2011” briefings. His talk about embedded Web servers and the hidden threats these pose revealed a number of devices with EWS that are publicly accessible on the Internet.
For example, HP scanners with Web scan (a feature to remotely scan a document) feature can give access to documents that are left in a scanner. A remote user can also adjust settings to make the scanner automatically send scanned documents to a designated address or to request a copy of recently scanned documents through the Web interface. Printers were also revealed to allow FTP access with no password protection, making it very easy for a malicious user to store malware files in the printer. Lastly, Michael also found some VoIP systems that are left open and showed how easy it is to get a recording of a phone conversation.
Devices Accessible Through the Web
You would think that these devices would not be publicly available or that there wouldn’t be many if there were such devices. Well, that’s what I thought so, too. But a simple Web header scan through shodan (shodanhq.com) during Sutton’s presentation revealed hundreds of potentially exposed embedded Web servers that are available to the general public.
This is dangerous since most people don’t even know that there is a Web server running in the device, therefore leaving them unaware of a security hole in their network. Furthermore, in his white paper, Sutton said, “A normal vulnerability scan would not be sufficient to see these risks since most Web vulnerability scanners focus on Web application servers and not embedded Web servers. Embedded Web servers will usually be identified but lumped together with other Web servers. So a normal security audit that focuses on XSS or SQL injection would not be effective since basic tests like checking for passwords or exposed dangerous functionality in the embedded Web servers are not done.”
As a precaution, we recommend that users check the network for possible devices with embedded Web servers and make sure not to expose these on the Internet. They should also disable certain potentially dangerous and unnecessary features. Lastly, make sure to change the default password of a server. Default passwords are as good as having no password at all.