Report: Thousands of embedded systems on the net without protection

Over the past few years, researchers have repeatedly demonstrated how easily web servers that are embedded in devices such as multi-function printers and VoIP systems can be tracked down over the web; however, thousands of machines remain unprotected.

At the RSA Conference, which is ongoing, Zscaler's Michael Sutton has provided further evidence that many embedded web servers (EWS) can be easily accessed by outsiders via the internet. Where multi-function printers or video conferencing systems are concerned, this can cause serious data leaks: the printers store scanned, faxed and printed files on hard disks and then disclose these often sensitive documents. Video conferencing hardware allows outsiders to monitor rooms remotely or listen to meetings that are in progress.

Sutton's aim was to scan a million web servers and create a catalogue of all the embedded web servers he found. His first tests involved Nmap and the Google Hacking Database (GHDB). However, neither tool proved very successful, as Nmap doesn't detect enough EWS fingerprints and will, therefore, produce useless device information. Google, on the other hand, doesn't allow search queries via scripts and would have required time-consuming manual scans.

The security researcher ended up using the Shodan online scanner (www.shodanhq.com). Sutton explained that Shodan has a huge database containing the HTTP header information of EWS systems, allowing such devices to be identified with accuracy. The researcher entered typical character strings from the embedded web servers' web pages into Shodan. To automate the process, Sutton used a Perl script that only sent HEAD queries via Shodan. The script was hosted on several EC2 micro instances in Amazon's cloud which, according to the researcher, only cost a few US dollars.

The scan managed to examine the targeted one million web servers in a short time and came up with the following results: many thousands of multi-function devices (more than 3,000 devices by Canon, 1,200 Xerox photocopiers, 20,000 Ricoh devices, among others), 8,000 Cisco IOS devices and almost 10,000 VoIP systems and phones didn't require any log-in authentication. The latter included 1,100 devices by the German manufacturer Snom. These devices include packet tapping features and PCAP tracing by default. Imported into Wireshark, the trace can be converted into a sound file of the telephone conversation.

The majority of the detected devices were not protected by passwords, Sutton said. This means that any web user can access their web interfaces through a browser and view the documents that are stored on such photocopiers and printers, forward incoming faxes to an external number, or record scan jobs. With HP devices, such intrusions can be carried out by a script that, every second, calls a URL whose only variable is UNIX epoch time, which can easily be guessed.

The scan run by Sutton also identified more than 9,000 video conferencing systems by Polycom and Tandberg (now Cisco). The most likely reason why these devices were openly accessible on the net is that they all use the H.323 protocol and require numerous ports to be opened in the firewall. Michael Sutton thinks that many administrators shy away from this, placing their systems in a DMZ instead. The IT security expert used a video to demonstrate how he managed to monitor the targeted conference rooms via an accessible video conferencing system that provided both sound and images.

Sutton's company is now providing the brEWS scanner free of charge, which specialises in detecting embedded web servers. To avoid placing the weapon into the hands of criminals, scans can only be run in a /24 subnet. At a later stage, the researcher also plans to offer a browser add-on that will allow administrators to examine protected internal networks; this add-on will carry out the scan and then send the results to the brEWS server for identification.

(Uli Ries / fab)