Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Networked Scanners Offer A Window Into The Enterprise, Researcher Says

Emerging Web-based features make it possible to capture document contents remotely, Zscaler's Sutton warns

It happens every day -- a sensitive document lies in the copier room, forgotten by the person who left it on the scanner. No big deal, right? Nobody else was able to read it.

Wrong, says Michael Sutton, a lab researcher at security vendor Zscaler. In fact, that document could easily be captured by an insider or an external hacker, without ever moving the paper from the scanner.

In a blog posted yesterday, Sutton offered some hard evidence to suggest that networked scanners equipped with remote operations capabilities can easily be tapped to collect data from the sensitive documents that are run through them each day.

"What many enterprises don't realize is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner, and if a document was left behind, scan and retrieve it using nothing more than a Web browser," Sutton says.

Hewlett-Packard's scanners, in particular, offer a feature called Webscan, which allows users to trigger scans remotely via a Web server and retrieve the image via a browser, Sutton observes. But in the wrong hands, this feature might be used to capture the images of documents left on the screen -- including sensitive corporate information.

In the blog, for example, Sutton shows examples of documents that he discovered using simple exploits that take advantage of the Webscan feature. Among them are signed documents, signed checks, technical reports, and corporate forms.

"An enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document," Sutton says. The URL used to send the Web-scanned documents to a remote browser is also completely predictable. A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature."

And because the remote scanning capability is Web-based -- and typically turned on by default in HP scanners -- there is also a risk that it will be exploited by outsiders, Sutton says.

"Whether intentionally set up as such -- or, more likely, accidentally exposed via a misconfigured network -- there are numerous scanners exposed on the Internet, the majority of which are not password protected," Sutton says. "In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version."

The many variations of the HP Web interface ensures that no single query will identify all exposed scanners, Sutton says. "But as can be seen, with a little creativity, it is trivially easy to find exposed scanners."

The vulnerability of networked peripherals is a well-known issue. ICSA Labs offers a testing program which enables vendors to test their non-computer products for such vulnerabilities, but many enterprises still overlook the problem, observers say.

Sutton has published a Perl script that enables enterprises to determine if they have any devices running HP Web servers on their local area networks.

"My advice: run the Perl script to see if you have any HP scanners on your network," Sutton says. "And if you do, lock 'em down quick, by setting the admin password."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-19
Code42 app through version 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an ele...
PUBLISHED: 2019-11-19
Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated ...
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.