Today, everything from kitchen appliances to television sets come with an IP address. Network connectivity for various hardware devices opens up exciting opportunities. Forgot to lower the thermostat before leaving the house? Simply access it online. Need to record a show? Start the DVR with a mobile app. While embedded web servers are now as common as digital displays in hardware devices, sadly, security is not. What if that same convenience exposed photocopied documents online or allowed outsiders to record your telephone conversations? A frightening thought indeed.
Software vendors have been forced to climb the security learning curve. As independent researchers uncovered embarrassing vulnerabilities, vendors had little choice but to plug the holes and revamp development lifecycles to bake security into products. Vendors of embedded web servers have faced minimal scrutiny and as such are at least a decade behind when it comes to security practices. Today, network connected devices are regularly deployed with virtually no security whatsoever.
The risk of insecure embedded web servers has been amplified by insecure networking practices. Every home and small business now runs a wireless network, but it was likely set up by someone with virtually no networking expertise. As such, many devices designed only for LAN access are now unintentionally Internet facing and wide open to attack from anyone, regardless of their location.
Leveraging the power of cloud based services, Zscaler spent several months scanning large portions of the Internet to understand the scope of this threat. Our findings will make any business owner think twice before purchasing a 'wifi enabled' device. We'll share the results of our findings, reveal specific vulnerabilities in a multitude of appliances and discuss how embedded web servers will represent a target rich environment for years to come. Additionally, we'll launch BREWS, a crowd sourcing initiative to build a global database EWS fingerprinting data. Traditional security scanners largely ignore EWSs and gathering appropriate fingerprinting data is a challenge as most reside on LANs where external scanning is not an option. As such, we're issuing a call to arms to collectively gather this critical data.