Black Hat: Embedded Web servers open printer, scanner security holes
- 27 July, 2011 01:48
- Comments
It's fairly simple to find corporate or consumer printers and scanners online and, without breaking into them, get a hold of documents that these devices recently processed.
It can be done because "there are embedded Web servers that come in hardware devices," says Michael Sutton, vice president of security research at Zscaler Labs, who will present his research at next week's Black Hat Conference. The embedded Web servers in "photocopiers, printers and scanners are there for the purpose of ease of administration," but the functionality is not hardened, the devices are available directly through the Internet, and often they aren't password-protected, he says.
MORE ON SECURITY: The 5 biggest IT security mistakes
In his research, Sutton says he discovered he can easily find these printers, scanners and photocopiers, including those made by HP, Ricoh and Sharp, out on the Internet, and simply use the available features "to remotely retrieve anything recently photocopied, such as download a PDF copy of it."
He said he's able to find this equipment with its embedded Web servers through scripts he wrote to scan huge blocks of IP addresses to recognize certain tell-tale Web header fingerprints. "There's no breaking-in required," Sutton adds.
He says the reason he's highlighting the risks is because "I want enterprises and consumers to recognize that an embedded Web server is a Web server and you've got to shut off some features," adding, "it's like a public Web server." Features should not be enabled by default, nor used without password protection. But he notes many people probably are unaware these embedded Web servers are even there in these printers, photocopiers and scanners.
Read more about wide area network in Network World's Wide Area Network section.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- Optimised Data Protection for VMware® Environments with Symantec NetBackup™ Appliances
- Key Considerations in Modernising Your Backup and Deduplication Solutions
- Security Threat Report 2012
- HP VirtualSystem VS1 for VMware - Virtualised environments made faster and easier
- Oracle Database 11g Product Family
-
CSIRO develops hands-free technology for mining repairs
-
Broadband Forum to improve IPTV performance with new spec
-
Amazon Web Services moves backups to cloud with new appliance
-
Callforfree.net.au offers free calls to 70 countries
-
Intel ponders solar-powered CPU tech in graphics, memory
-
Computers for Seniors for Dummies, 2nd Edition
-
Office 2007 for Dummies
-
Microsoft Office
-
Windows 7 for Dummies®
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Dummies® Dvd+book Bundle
-
Windows 7 for Seniors for Dummies®
-
Office 2007 All-In-One Desk Reference for Dummies
-
Excel 2007 All-In-One Desk Reference for Dummies
Comments
Post new comment