|One Version of the WebScan interface on an HP scanner|
|Scanning functionality in|
an alternate UI
The Insider Threat
With over $1B in printer sales in Q3 2010 alone, and with many of those devices being all-in-one printers, running across an HP scanner in the enterprise is certainly very common. What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser. Ever left a confidential document on the scanner and sprinted back to retrieve it when you realized? Thought so.
Want to know if your office LAN has any wide open HP scanners running? Run this simple Perl script to to determine if there are any devices on the local network running HP web servers.
As everything is web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. The URL used to send the web scanned documents to a remote browser is also completely predictable as shown:
http://[Scanner IP]/scan/image1.jpg?id=1&type=4&size=1&fmt=1&time=[epoch time]
A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature.
The External Threat
|Likelihood of Admin password being set|
on scanner types identified
- "Estimate only. Actual ink levels may vary."
- "Estimated Ink Levels" "HP Photosmart" "Items Needing Attention"
- hp photosmart status "product serial number" "product model number"
- inbody:"Estimated Black Ink Level"
Below are samples of documents remotely retrieved due to corporations using HP scanners that were not password protected, on misconfigured networks that exposed their scanners to the Web.