Michael Sutton, Vice President of Security Research at Zscaler Labs, outlines in this blog post how a feature, called WebScan, that’s enabled by default on countless HP all-in-one printers, can be activated remotely to transmit copies of a scanned document over the Internet. Since Sutton’s blog description is rather technical, LastWatchdog interviewed him to get the full context. understanding:
LW: Can you clarify how a bad guy might take advantage of this remote scanning capability?
Sutton: A rogue employee could identify the existence of HP scanners on his company’s network. Using the WebScan functionality, he could write a script to regularly run the scanner remotely, retrieving an image of anything that has been left on the scanner.
LW: So this type of attack will only get a copy of something that happens to be left on the scanner after a scan. Don’t most people scan, then take their docs with them?
Sutton: In general, the attack would require that a document be left on the scanner. The hacker would most likely create a script that runs the scanner say every five minutes, and thus catch anything that may have been left on the scanner.
LW: Why did HP include the WebScan functionality if it’s so easy to exploit.
Sutton: To be perfectly honest, I see the WebScan functionality as more of a marketing gimmick. While WebScan does provide a convenient means of obtaining a digital copy of a scanned document, this same goal could certainly be accomplished without exposing the scanner to anyone in the office.
LW: Do you have an estimate for how many HP all-in-one printers with this weakness are out in the field?
Sutton: As far as I know, most all-in-one HP Photosmart and Officejet printers sold in the last several years have some variant of the WebScan functionality. Given that fact, there are quite likely millions of devices deployed throughout enterprises that have a remote scanning capability exposed.
TL: Is this a problem with other brands of printer/scanners?
Sutton: At this point, I have only researched HP scanners.
LW: What’s the systemic security weakness?
Sutton: The weakness exists because remote scanning is embedded in HP scanners and the functionality is turned on by default, without any security in place. What’s more concerning is the fact that most companies likely have no idea that the WebScan feature even exists, much less that it is not secured.
LW: How might this be resolved?
Sutton: It would be very simple for HP to address this for new scanners – the WebScan functionality should be disabled by default or at a minimum force an administrative password to be applied before it becomes functional. Unfortunately, that will do little to assist the millions of owners that have already deployed an HP scanner which is remotely accessible.
By Byron Acohido