Security firm Zscaler has released a tool capable of scanning networks to find embedded web servers that may be publicly accessible without any protections.
The web-based tool, called brEWS (Basic Request Embedded Web Server Scanner), can scan IP ranges to find things like multi-function printers and photocopiers, VOIP devices and video-conferencing systems that are currently available over the internet.
brEWS leverages a two phased approach to quickly identify exposed EWSs. The initial scan retrieves headers from identified web servers. Content obtained from the server headers is then used to query a back end database which returns appropriate tests to be run in order to attempt identification of potential EWSs.
Malicious hackers are already using the Shodan computer search engine to find Internet-facing SCADA systems that use insecure mechanisms for authentication and authorization and Zscaler's Michael Sutton warns that thousands of embedded systems are currently online without the necessary protections.
According to a report by The H Security, Sutton delivered a presentation at the RSA Conference on this issue:
The scan managed to examine the targeted one million web servers in a short time and came up with the following results: many thousands of multi-function devices (more than 3,000 devices by Canon, 1,200 Xerox photocopiers, 20,000 Ricoh devices, among others), 8,000 Cisco IOS devices and almost 10,000 VoIP systems and phones didn't require any log-in authentication. The latter included 1,100 devices by the German manufacturer Snom. These devices include packet tapping features and PCAP tracing by default. Imported into Wireshark, the trace can be converted into a sound file of the telephone conversation.
The majority of the detected devices were not protected by passwords, Sutton said. This means that any web user can access their web interfaces through a browser and view the documents that are stored on such photocopiers and printers, forward incoming faxes to an external number, or record scan jobs. With HP devices, such intrusions can be carried out by a script that, every second, calls a URL whose only variable is UNIX epoch time, which can easily be guessed.
Sutton's scan also discovered more than 9,000 video conferencing systems by Polycom and Tandberg (now Cisco).