| Abstract |
Today, everything from television sets to photocopiers have an IP address and an embedded web server (EWS) for device administration. Need to record a show? Start the DVR with a mobile app. Want a digital copy of a previously photocopied document? No problem. While embedded web servers are now as common as digital displays in hardware devices, sadly, security is not. What if that same convenience exposed photocopied documents online or allowed outsiders to record your telephone conversations? A frightening thought indeed. Software vendors have been forced to climb the security learning curve. As independent researchers uncovered embarrassing vulnerabilities, vendors had little choice but to plug the holes and revamp development lifecycles to bake security into products. Vendors of embedded web servers have faced minimal scrutiny and as such are at least a decade behind when it comes to security practices. Today, network connected devices are regularly deployed with virtually no security whatsoever. The risk of insecure embedded web servers has been amplified by insecure networking practices. Every home and small business now runs a wireless network, but it was likely set up by someone with virtually no networking expertise. As such, many devices designed only for LAN access are now unintentionally Internet facing and wide open to attack from anyone, regardless of their location. Leveraging the power of cloud based services, Zscaler spent several months scanning large portions of the Internet to understand the scope of this threat. Our findings will make any business owner think twice before purchasing a 'wifi enabled' device. We'll share the results of our findings, reveal specific vulnerabilities in a multitude of appliances and discuss how embedded web servers will represent a target rich environment for years to come. Additionally, we'll unveil the latest iteration of brEWS, a free EWS scanner and crowd sourcing initiative designed to build a global database of EWS fingerprinting data. Traditional security scanners largely ignore EWSs and gathering appropriate fingerprinting data is a challenge as most reside on LANs where external scanning is not an option. As such, we're issuing a call to arms to collectively gather and share this information.
|
top
