Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Networked Scanners Offer A Window Into The Enterprise, Researcher Says

Emerging Web-based features make it possible to capture document contents remotely, Zscaler's Sutton warns

It happens every day -- a sensitive document lies in the copier room, forgotten by the person who left it on the scanner. No big deal, right? Nobody else was able to read it.

Wrong, says Michael Sutton, a lab researcher at security vendor Zscaler. In fact, that document could easily be captured by an insider or an external hacker, without ever moving the paper from the scanner.

In a blog posted yesterday, Sutton offered some hard evidence to suggest that networked scanners equipped with remote operations capabilities can easily be tapped to collect data from the sensitive documents that are run through them each day.

"What many enterprises don't realize is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner, and if a document was left behind, scan and retrieve it using nothing more than a Web browser," Sutton says.

Hewlett-Packard's scanners, in particular, offer a feature called Webscan, which allows users to trigger scans remotely via a Web server and retrieve the image via a browser, Sutton observes. But in the wrong hands, this feature might be used to capture the images of documents left on the screen -- including sensitive corporate information.

In the blog, for example, Sutton shows examples of documents that he discovered using simple exploits that take advantage of the Webscan feature. Among them are signed documents, signed checks, technical reports, and corporate forms.

"An enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document," Sutton says. The URL used to send the Web-scanned documents to a remote browser is also completely predictable. A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature."

And because the remote scanning capability is Web-based -- and typically turned on by default in HP scanners -- there is also a risk that it will be exploited by outsiders, Sutton says.

"Whether intentionally set up as such -- or, more likely, accidentally exposed via a misconfigured network -- there are numerous scanners exposed on the Internet, the majority of which are not password protected," Sutton says. "In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version."

The many variations of the HP Web interface ensures that no single query will identify all exposed scanners, Sutton says. "But as can be seen, with a little creativity, it is trivially easy to find exposed scanners."

The vulnerability of networked peripherals is a well-known issue. ICSA Labs offers a testing program which enables vendors to test their non-computer products for such vulnerabilities, but many enterprises still overlook the problem, observers say.

Sutton has published a Perl script that enables enterprises to determine if they have any devices running HP Web servers on their local area networks.

"My advice: run the Perl script to see if you have any HP scanners on your network," Sutton says. "And if you do, lock 'em down quick, by setting the admin password."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-28
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
PUBLISHED: 2021-01-28
A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.