HP scanners exposing sensitive information
by Steve Ragan - Sep 2 2010, 08:30A feature in HP scanners called Webscan, which allows someone to scan documents remotely by initiating the scan and viewing the results via the browser, can potentially expose some interesting things... if you know where to look.
Michael Sutton, vice president of Security Research at Zscaler, wrote an interesting report recently on Webscan, a feature available on most HP multi-function products.
The issue with Webscan, the report revealed, is that it's enabled by default and, due to network configurations, most of the devices using it are available to everyone online.
“They’re not even password protected - it’s trivially easy to find exposed scanners,” said Sutton.
With over $1 billion USD in printer sales, HP is a common sight in enterprise environments, as well as the SMB market and one-man shops. Each organization has sensitive data and, with that, unique data protection needs and governance.
“What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser,” Sutton added.
Based on Zscaler’s observations, more often than not the HP Photosmart scanners are open by default, instead of the massively marketed Officejet systems. To locate some of these systems, search for variations of "Estimated Ink Levels", "HP Photosmart", "Items Needing Attention", and “not set”.
Yet, the “many variations of the HP web interface ensures that no single query will identify all exposed scanners,” Sutton explained.
While researching the issue, Sutton was able to find legal documents, ballot forms, and more. Adding to that, The Tech Herald discovered fax logs, and contact information on several systems.
Zscaler has released a Perl script to check your network for problematic devices. You can get a copy here.
In the meantime, if you use a system with Webscan, make sure it is behind a firewall and not exposed to the Web as a whole. Moreover, check to make sure the password settings are enabled.
Comment on this Story