Tuesday, August 31, 2010

Corporate Espionage for Dummies: HP Scanners

One Version of the WebScan interface on an HP scanner
Scanning functionality in
an alternate UI
Web servers have become commonplace on just about every hardware device from printers to switches. Such an addition makes sense as all devices require a management interface and making that interface web accessible is certainly more user friendly than requiring the installation of a new application. Despite typically being completely insecure, such web servers on printers/scanners are generally of little interest from a security perspective, even though they may be accessible over the web, due to network misconfigurations. Yes, you can see that someone neglected to replace the cyan ink cartridge but that's not of much value to an attacker. However, that's not always the case. I was recently looking at a newer model of an HP printer/scanner combo and something caught my eye. HP has for some time, embedded remote scanning capabilities into many of their network aware scanners, a functionality often referred to as Webscan. Webscan allows you to not only remotely trigger the scanning functionality, but also retrieve the scanned image, all via a web browser. To make things even more interesting, the feature is generally turned on by default with absolutely no security whatsoever.

The Insider Threat
With over $1B in printer sales in Q3 2010 alone, and with many of those devices being all-in-one printers, running across an HP scanner in the enterprise is certainly very common. What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser. Ever left a confidential document on the scanner and sprinted back to retrieve it when you realized? Thought so.

Want to know if your office LAN has any wide open HP scanners running? Run this simple Perl script to to determine if there are any devices on the local network running HP web servers.


As everything is web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. The URL used to send the web scanned documents to a remote browser is also completely predictable as shown:

http://[Scanner IP]/scan/image1.jpg?id=1&type=4&size=1&fmt=1&time=[epoch time]

A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature.

The External Threat

Status screen
It's bad enough that many enterprises are running scanners that are remotely accessible by rogue employees, but what if those same scanners were accessible to anyone on the Internet? Whether intentionally set up as such or more likely accidentally exposed via a misconfigured network, there are numerous scanners exposed on the Internet, the majority of which are not password protected. In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version. Interestingly, based on the sample set examined, there was a greater likelihood that HP Photosmart scanners were not locked down as opposed to Officejet scanners. This finding actually makes sense, given that Officejet scanners tend to be marketed to corporate users, a group that is hopefully more likely to implement security protections on hardware/software.


Likelihood of Admin password being set
on scanner types identified
Example Google/Bing queries used to identify open scanners:
The many variations of the HP web interface ensures that no single query will identify all exposed scanners, but as can be seen, with a little creativity, it is trivially easy to find exposed scanners.

The Wall of Shame

What sort of things do people leave on their scanners? In researching this blog, I saw checks, legal documents, completed ballot forms, phone numbers...and my personal favorite, Jim's diploma informing the world that he's now a Certified Mold Inspector - congratulations Jim!

Below are samples of documents remotely retrieved due to corporations using HP scanners that were not password protected, on misconfigured networks that exposed their scanners to the Web.

Signed documents
Voting Advice
Signed Checks
Technical Reports
Forms
Certificates
My advice - run the Perl script to see if you have any HP scanners on your network and if you do...lock 'em down quick, by setting the Admin password.

- michael

11 comments:

Flypig said...

Been having fun with 'open' HP Jet direct machines in my company for years. My fav is to set the LCD display to odd messages eg "Hug Me". I search for IPs with port 80 & 9100 open. This throws up all printers not just HP.

Aaron said...

Did you notice that even after setting an admin password you can still control these devices by SNMP with default community names?

Michael Sutton said...

Aaron - thanks for passing that along, I hadn't noticed that.

Anonymous said...

it is not only HP, also Ricoh and Kyocera have this "feature"
tried to solved it with Ricoh but the only solution is: disable the webadmin pages.

Alex said...

Simply configuring your firewall to block web services from being access from outside your corporate network will solve all of these issues. If a web server needs to be publicly accessible, it should be in a DMZ. Segment your network for security.

Michael Sutton said...

Alex - I certainly agree that misconfigured firewalls have led to the scanners being exposed to the web. Unfortunately, firewalls won't solve the internal threat of a rogue employee scanning documents from the LAN. For that the only answer is to set an admin password on the scanner - something that IMO s/be forced out of the box, not left open by default.

Jesse "Agent X" Krembs said...

The results from Shodan are equally interesting..http://www.shodanhq.com/

Stan said...

Thanks for the article. There is another vulnerability in networked MFPs that have memory card slots or front USB ports. These enable someone to plug a storage device directly and print pictures from it, or to scan a document to it. The storage devices can be remotely accessed without password from a computer by using the CIFS (SMB) protocol. With HP OfficeJet Pro 8500 MFP, you can type "\\IP-address" in Windows Explorer where IP is the MFP's IP address. This feature is enabled by default.

So a user who thinks the document is securely scanned to a memory card, unknowingly shared the card contents to the whole network.

This is an industry wide problem, not just HP has this vulnerability. Ease of use takes precedence over security.

Refurbished Computers said...

Web servers have become commonplace on just about every hardware device from printers to switches. Such an addition makes sense as all devices require a management interface and making that interface web accessible is certainly more user friendly than requiring the installation of a new application.

deviza √°rfolyam said...

I love your blog Umesh. Please keep posting.

Medyum said...

it is not only HP, also Ricoh and Kyocera have this "feature"
tried to solved it with Ricoh but the only solution is: disable the webadmin pages.