Networked devices typically incorporate a web server for configuration. Doing so conveniently eliminates the need for client-side software. Problem is it also opens the door for bad guys.
I read an interesting post by Michael Sutton on the Zscaler web site. He discovered that networked HP Officejet products can be exploited to steal potentially-sensitive information. Thankfully, the cure is simple.
When I started reading Mr. Sutton's post, I wasn't that concerned. Not many users know about configuration of web servers or how to access them. The only negative experience I've encountered was when someone mistakenly changed the static IP address, knocking the printer off line.
Besides, web servers are only accessible from computers on the internal network. That means an attacker has to be an insider or penetrate perimeter defenses. In either case, there is more to worry about than the configuration of an Officejet All-in-One.
Not necessarily true
It seems that many home and company networks aren't setup properly. As Officejet web pages are showing up on the Internet. Mr. Sutton came up with a clever way to find them. Since the web servers are facing the Internet, all that's required is to run a search query for common phrases used on these particular web pages. For example:
- "Estimate only. Actual ink levels may vary."
- "Estimated Ink Levels", "HP Photosmart", "Items Needing Attention"
- hp photosmart status, "product serial number", "product model number"
I was amazed at the number of devices that show up in my first query:
HP Officejet products by default are not password protected. So a vast majority of the devices I found were wide open. I could change any of the settings that I wanted to. Then if I wanted to be nasty, I could create an admin password, locking the respective users out of their own Officejet printer/scanner.
To make matters worse
The newer versions of HP Officejet products incorporate a feature called Webscan. This gives remote users the ability to initiate a scan and retrieve the scanned image. That may seem fairly harmless, but Mr. Sutton has this to say:
"What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser. Ever left a confidential document on the scanner and sprinted back to retrieve it when you realized? Thought so."
At the end of Mr. Sutton's post he has several images that he was able to retrieve using Webscan.
My neighbor has an Officejet J6410. I asked him if he knew about the configuration web server. He did not as the Officejet was set up using the HP software package that came with the J6410. That meant the hardware did not have a password and could be accessed remotely.
I asked permission to run a few tests and this is what I found. The first slide presents all the device information and notice that the J6400 has the Webscan feature:
The next slide shows how easy it would be for me to change the IP address and DNS server information:
I went to the security web page and, as you can see, no password is set:
Next, I opened the Webscan page and hit the preview button. It could not have worked out better. There was a picture still in the scanner and I was able to save the digital image on my computer:
The Officejet spy tool
You can see by my tests and the earlier search results that an Officejet printer/scanner has the potential to be quite a spy tool. Using the web interface, information about the network can be gleaned and if lucky, sensitive information can be obtained via the scanner.
Mr. Sutton feels it would be simple to write a script to regularly run the scanner:
"As everything is web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. The URL used to send the web scanned documents to a remote browser is also completely predictable as shown:
http://[Scanner IP]/scan/image1.jpg?id=1&type=4&size=1&fmt=1&time=[epoch time]
A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature."
As I mentioned earlier, the solution is to create an admin password for the web server. That should prevent any access to the configuration or Webscan. For enterprises that have a significant number of printer/scanners, Mr. Sutton has written a Perl script that will determine if any networked devices are running HP web servers.
In my research for this article, I came across another possible solution for larger companies. ICSA Labs has developed a Network Attached Peripheral Security program. Where ICSA Labs works with vendors and companies to make sure devices are configured correctly.
We have to get the word out. Forgetting to use access passwords or not changing default passwords on network devices is too prevalent. In this case, the cost for disregarding that advice could be anything from just embarrassing to all out identity theft.Update: Apparently, Ricoh and Kyocera printer/scanners have a feature similar to Webscan. Any further information about those brands would be appreciated.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.