Networked Scanners Offer A Window Into The Enterprise, Researcher Says

It happens every day -- a sensitive document lies in the copier room, forgotten by the person who left it on the scanner. No big deal, right? Nobody else was able to read it.

Wrong, says Michael Sutton, a lab researcher at security vendor Zscaler. In fact, that document could easily be captured by an insider or an external hacker, without ever moving the paper from the scanner.

In a blog posted yesterday, Sutton offered some hard evidence to suggest that networked scanners equipped with remote operations capabilities can easily be tapped to collect data from the sensitive documents that are run through them each day.

"What many enterprises don't realize is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner, and if a document was left behind, scan and retrieve it using nothing more than a Web browser," Sutton says.

Hewlett-Packard's scanners, in particular, offer a feature called Webscan, which allows users to trigger scans remotely via a Web server and retrieve the image via a browser, Sutton observes. But in the wrong hands, this feature might be used to capture the images of documents left on the screen -- including sensitive corporate information.

In the blog, for example, Sutton shows examples of documents that he discovered using simple exploits that take advantage of the Webscan feature. Among them are signed documents, signed checks, technical reports, and corporate forms.

"An enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document," Sutton says. The URL used to send the Web-scanned documents to a remote browser is also completely predictable. A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature."

And because the remote scanning capability is Web-based -- and typically turned on by default in HP scanners -- there is also a risk that it will be exploited by outsiders, Sutton says.

"Whether intentionally set up as such -- or, more likely, accidentally exposed via a misconfigured network -- there are numerous scanners exposed on the Internet, the majority of which are not password protected," Sutton says. "In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version."

The many variations of the HP Web interface ensures that no single query will identify all exposed scanners, Sutton says. "But as can be seen, with a little creativity, it is trivially easy to find exposed scanners."

The vulnerability of networked peripherals is a well-known issue. ICSA Labs offers a testing program which enables vendors to test their non-computer products for such vulnerabilities, but many enterprises still overlook the problem, observers say.

Sutton has published a Perl script that enables enterprises to determine if they have any devices running HP Web servers on their local area networks.

"My advice: run the Perl script to see if you have any HP scanners on your network," Sutton says. "And if you do, lock 'em down quick, by setting the admin password."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.