Printers

HP Officejet All-in-One: An unlikely spy tool

Networked devices typically incorporate a web server for configuration. Doing so conveniently eliminates the need for client-side software. Problem is it also opens the door for bad guys.

Networked devices typically incorporate a web server for configuration. Doing so conveniently eliminates the need for client-side software. Problem is it also opens the door for bad guys.

-----------------------------------------------------------------------------------------

I read an interesting post by Michael Sutton on the Zscaler web site. He discovered that networked HP Officejet products can be exploited to steal potentially-sensitive information. Thankfully, the cure is simple.

The problem

When I started reading Mr. Sutton's post, I wasn't that concerned. Not many users know about configuration of web servers or how to access them. The only negative experience I've encountered was when someone mistakenly changed the static IP address, knocking the printer off line.

Besides, web servers are only accessible from computers on the internal network. That means an attacker has to be an insider or penetrate perimeter defenses. In either case, there is more to worry about than the configuration of an Officejet All-in-One.

Not necessarily true

It seems that many home and company networks aren't setup properly. As Officejet web pages are showing up on the Internet. Mr. Sutton came up with a clever way to find them. Since the web servers are facing the Internet, all that's required is to run a search query for common phrases used on these particular web pages. For example:

  • "Estimate only. Actual ink levels may vary."
  • inanchor:"page=printerInfo"
  • "Estimated Ink Levels", "HP Photosmart", "Items Needing Attention"
  • hp photosmart status, "product serial number", "product model number"

Search results

I was amazed at the number of devices that show up in my first query:

HP Officejet products by default are not password protected. So a vast majority of the devices I found were wide open. I could change any of the settings that I wanted to. Then if I wanted to be nasty, I could create an admin password, locking the respective users out of their own Officejet printer/scanner.

To make matters worse

The newer versions of HP Officejet products incorporate a feature called Webscan. This gives remote users the ability to initiate a scan and retrieve the scanned image. That may seem fairly harmless, but Mr. Sutton has this to say:

"What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser. Ever left a confidential document on the scanner and sprinted back to retrieve it when you realized? Thought so."

At the end of Mr. Sutton's post he has several images that he was able to retrieve using Webscan.

Test results

My neighbor has an Officejet J6410. I asked him if he knew about the configuration web server. He did not as the Officejet was set up using the HP software package that came with the J6410. That meant the hardware did not have a password and could be accessed remotely.

I asked permission to run a few tests and this is what I found. The first slide presents all the device information and notice that the J6400 has the Webscan feature:

The next slide shows how easy it would be for me to change the IP address and DNS server information:

I went to the security web page and, as you can see, no password is set:

Next, I opened the Webscan page and hit the preview button. It could not have worked out better. There was a picture still in the scanner and I was able to save the digital image on my computer:

The Officejet spy tool

You can see by my tests and the earlier search results that an Officejet printer/scanner has the potential to be quite a spy tool. Using the web interface, information about the network can be gleaned and if lucky, sensitive information can be obtained via the scanner.

Mr. Sutton feels it would be simple to write a script to regularly run the scanner:

"As everything is web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. The URL used to send the web scanned documents to a remote browser is also completely predictable as shown:

http://[Scanner IP]/scan/image1.jpg?id=1&type=4&size=1&fmt=1&time=[epoch time]

A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature."

Simple fix

As I mentioned earlier, the solution is to create an admin password for the web server. That should prevent any access to the configuration or Webscan. For enterprises that have a significant number of printer/scanners, Mr. Sutton has written a Perl script that will determine if any networked devices are running HP web servers.

In my research for this article, I came across another possible solution for larger companies. ICSA Labs has developed a Network Attached Peripheral Security program. Where ICSA Labs works with vendors and companies to make sure devices are configured correctly.

Final thoughts

We have to get the word out. Forgetting to use access passwords or not changing default passwords on network devices is too prevalent. In this case, the cost for disregarding that advice could be anything from just embarrassing to all out identity theft.

Update: Apparently, Ricoh and Kyocera printer/scanners have a feature similar to Webscan. Any further information about those brands would be appreciated.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

47 comments
Al_nyc
Al_nyc

That remote scan feature will net the bad guys lots of hits right around tax time when everyone is making copies of their tax forms. I have an HP wireless printer, but I only turn it on briefly when I need to print something. The rest of the time it is off. But now that I know it can be a problem, I plan on adding a password and if I can figure it out, I will change the firewall settings on my wireless router to stop any external queries to the printer.

seanferd
seanferd

Understatement of the century. OK, I don't even have to consider this from an efficiency, best practices, or security standpoint - there seem to be loads of business and home networks that aren't even set up so that the network owner gets what he wants. This constantly amazes me. Edited for title field converting the copied/quoted ' to ?.

JCitizen
JCitizen

My Brother laser printer came with malware in the install disk!! After spending a LOT of money trying to find out WHO was probing the interior of my LAN, I finally downloaded the web driver for the printer from the Brother update site, and that fixed the issue. Needless to say, Brother is denying they issued any such disk; but how else to you explain it? Perhaps just a corrupted driver? Why then was server code injected where their was not supposed to be any? This was not a network printer!

bclomptwihm
bclomptwihm

I smell a class action suit coming. This Class Action suit, like all the others, will end the same way. The poor victimized "class" will get a coupon for a few dollars off the services the evil plaintiff HP provides. The lawyers will walk off with $20,000,000 and the "class" victims will find that HP has just raised prices to pay off the lawyers. Don't these anti-business consumer "protection" types ever learn?

Michael Horowitz
Michael Horowitz

What I don't get is why the printer doesn't have a private IP address, such as 192.168.x.x or 10.x.x.x? How is it possible for a LAN resident device to be seen on the Internet without port forwarding or a DMZ configured in the router?

SoCalDoc
SoCalDoc

Thank you and Michael Sutton for alerting me! I immediately set admin pwds on my 3 networked HP's (2 OJ's + 1 DJ). This blocked access to SETTING network/bluetooth/wifi parameters. It is of interest to note that the password does not block DISPLAY of just about all parameters, however.

Craig_B
Craig_B

I saw a "Hacker Techniques" presentation where they went over this type of thing. Google has a lot of information that can be used in many different ways. By accessing an internal device from outside you can find ip address/subnet information, naming conventions, etc. Someone can now use this for social engineering, I'm calling about the HP xxxx printer that is low on toner, etc. It can get quite scary.

shardeth-15902278
shardeth-15902278

Perhaps I am being overly paranoid/cynical, but I have doubts as to whether HP invested any serious effort to hardening the web server on those devices. I'd argue in favor of just keeping the thing off the internet, behind a firewall.

BobP64
BobP64

HP Printers such so badly these days that they're not worth looking at anyway. I have had several of them go belly up, and in particular, an HP 7410 that I paid $499 for really ticked me off. It died after approximately 7 months. A small plastic tab used to hold a spring that sensed the new ink cartridge (talk about poor design) broke. HP sent me a "refurb" unit. This refurb unit died after 5.5 months - that's right about 2 weeks after the 1 year warranty was up. After numerous calls talking to people in India and the Phillipines I tried calling HP in the US - I could not connect to anyone. I even sent an email to Mark Hurd telling him that I would vow to cost HP a minimum of 100 Million in sales if this was not corrected. I continue to tell my tale of how badly HP treats customers with their poorly designed products (and this 7410 was not the 1st or last HP product that died an untimely death that I have)... Roll back to the late 90's - HP Laserjet 4000 - I still have it and it is GREAT. I just put in a new toner cartridge. The 90's were the last gasp of what I call the "old" HP. Today's HP creates JUNK, JUNK, and more JUNK. Stay away from HP if you want your product to last. BTW, to replace that $499 7410 I bought a Canon all in one for $159. That's right, it does the SAME THINGS. That single printer has lasted 2.5 years so far and is still going strong. Even IF it died today, I would be about 7.5 times better off (only 1/3 the price and it lasted 2.5x longer). Canon is now my main source of printers. I suggest everyone else do the same.

Gis Bun
Gis Bun

Not really surprised with HP. With all the "garbage" that loads up when you install one of their MFP or just a regular printer, I am not surprised that there is an issue with them.

V.H. Scarpacci
V.H. Scarpacci

I had noticed years ago that some of HP's installed applications for reporting problems with the HP printers, Laptops and Workstations show up as malware. Usually labeled as one form of backdoor or another. If it is possible I will not install HP software that come with these devices, but sometimes we don't have the choice. I for one really get riled when I have to install a printer driver that starts installing 20 minutes of 'enhancements' on a work PC.

santeewelding
santeewelding

In all of recorded history has this not been so?

Michael Kassner
Michael Kassner

Glad you figured it out. I never use the install disks. Nine times out of ten, they are out-of-date.

Michael Kassner
Michael Kassner

If you noticed, the IP address of the device in my slides was using an internal IP address. But, I was able to get to it via the Internet. There were many similar examples in my searches.

kama410
kama410

I know of a place that got a phone call to an internal number (that can be called from outside) and the person that answered apparently gave out information about a local printer. A couple of weeks later two toner cartridges show up with an invoice. They ended up paying for the toner cartridges that they had never ordered. Pretty effective.

Michael Kassner
Michael Kassner

If you look at some of the search results the IP addresses of the Officejets are private ones. I suspect that the firewall is allowing outgoing port 80 traffic.

jstemper
jstemper

It still amazes me how indifferent companies, like HP, are to word of mouth advertising, positive and negative. A single review, like BobP64, can have significant negative impact but HP just bulls on. I think they must be adherents of PT Barnum's philosophy and truly believe there is a sucker born every minute.

thisaintmyemail
thisaintmyemail

They constantly run out of ink, need maintance, and are a waste of paper. Everything just needs to stay digital. Now in terms of HP, I personally like their Laptops and Desktops. I have a HP 200LX still running great, along with a HP dv2000MT Minitower PC as my main desktop at home and it runs like a dream. We even have a Deskjet All-in-one Printer from HP (The model's number esacapes me) and it's been running great since 2005. It also doesn't need any drivers, we plug it into multiple laptops and it prints and scans no problem. If you're running Windows XP or newer, I haven't found a need for installing the drivers.

Michael Kassner
Michael Kassner

Has several 4 Plus printers that are working just fine. It is amazing.

Michael Kassner
Michael Kassner

Other vendors are having the same problem. people are just not aware of the need to create an admin password.

Tony Hopkinson
Tony Hopkinson

ran the find a printer bit, just after we'd joined up to the main network. It took out 22 PLCs and stopped five manufacturing plants.... We spent a good deal of time looking for malware, before we realised it was him. To th PLC's the probe reqest apperaded to be a maliciously crafted packet.

JCitizen
JCitizen

from HP crapware and drivers! However, they might as well be true malware, with the way they act, and no more than I trust printer manufactures lately! :|

Michael Kassner
Michael Kassner

I have come across that myself. This exploit doe not require loading any client software.

seanferd
seanferd

Never mind. Applies to all. All the little bits of it.

JCitizen
JCitizen

that is generally the case with me too! Thanks for the article! =D

Ocie3
Ocie3

should stop any inbound traffic that is not destined for an active connection on the destination port, such as HTTP on port 80 (but please keep reading). It is possible that installing the HP hardware opens a port through any firewall, too, perhaps one on the gateway router to the Internet. I am not an expert, but that seems tantamount to establishing a static connection, and an SPI firewall will pass any traffic destined to it. If a printer is running a "web server", then it might open a port in a gateway router's firewall as well as in the firewall, if any, that is on its own server. (It seems unlikely that the printer's server has a firewall.) The open port permits Google web crawlers to collect (and index) the content from the HTML pages in the printer, which is, as you have reported, running a "web server". So it seems that the password probably just prevents someone from tinkering with the printer's configuration (unless and until they break the password, and I would guess that their little ol' utility to do that has an unlimited number of attempts). As another contributor reported previously, he can still read data from the printer's configuration after changing the default password.

terry
terry

I think the real problem here isn't so much with the scanner as it is with the edge router natting through port 80 to it; surely correcting this would minmise exposure; yes you can still have malicious employees on the internal network setup a script to scan or change the admin password but I'm picking if you were that worried about it you would have set the passwords already. There used to be a site that had links to dozens of google search phrases to find such devices on the internet, not just printers but IP cameras etc; I think the term is google hacking or something like that, I have looked but I can't seem to find it at the moment.

Edward D
Edward D

Michael, thank you for bringing this to our attention. It strikes me like one of those stories ... "Just when I thought I was safe..." Ed DeRosier

JCitizen
JCitizen

to do a GRC Shields UP! scan every time I add ANY software of hardware to any of my PCs. You never know when a driver is going to open up a port on the perimeter gateway device! Using Comodo as an interior software firewall has prevented this, but I still check anyway!

Michael Kassner
Michael Kassner

They consider what I wrote about to be a problem. They actually call it a feature. I just wish they would be more emphatic about telling people to create an admin password. Edit: Spelling

Michael Kassner
Michael Kassner

I found that with my Epsons as well. Win 7 has the correct drivers built in.

JCitizen
JCitizen

that if you order straight from HP and buy the warranted protection, they bend over backwards to get you a better product and service. However, with my recent experiences, I got to admit, they must be junk anyway. Problem is, Canon doesn't have one of the most important features I need in the US. I really like Canon printers, but they don't do color DVD printing in the US.[yet]

cliff
cliff

Have one back in the warehouse that is still churning out receivers. Awesome piece of hardware.

JCitizen
JCitizen

it was bad enough when some junior "Gee" man lost a 500 item order with the new Oracle data base we had just acquired. I took particular pride in keeping all PLCs running smoothly in my area.

Michael Kassner
Michael Kassner

There is no default password. That would be better than the way HP does it now.

Michael Kassner
Michael Kassner

I wrote an article about how Google search is a huge weapon. You reaffirmed that. Oddly enough, simple mining gives the bad guys a huge amount of information.

tatec3
tatec3

I.e., blocking accesses between printer and the public side. Works like a champ. A necessity, BTW, if you're using a WiFi printserver, especially in a WiFi-rich MDU or office park environment.

Michael Kassner
Michael Kassner

You are safe, just from your comments. Also thank you for commenting. I appreciate all and any input. Kudos to you

JCitizen
JCitizen

I'd configure my gateway on that. However, I do take a chance on a UPnP transaction occasionally to test my defenses and try a new application once and a while. After all it is a "honey pot"! This way, I also know what kind of environment my clients are coming from; so I know exactly what happened to them before I even get there. I never see most of them but once, so they are all on a new situation. They don't come back, after I've configured their PC and network, and given them a prep course on web-safety. Some would say I'm screwing myself out of a lot of money, but I'm just too lazy to let people fall on their own swords. I like to work smarter instead of harder. It gives me great satisfaction that the criminals have lost the battle too! ]:)

seanferd
seanferd

You want through the router or local firewall, you have to ask. No UPnP. No auto-trust.

JCitizen
JCitizen

to click on the common ports and all services ports. Doing both helps get a clearer picture of what is going on. Some ISPs issue firewall enabled modems though, so you may see a crappy firewall result, when your hardware firewall is working fine. I really hate ISPs that do this. But at least if you have a services gateway, you can tell who is knocking on the leaky front door in the monthly service reports. Kiwi Syslog has a really good utility that can watch firewall reports real time. I'm sure there are several free ones out there, but I've been around Kiwi so long, I feel comfortable with it. I just don't have the bucks yet for the pro version, but I'm happy with this one for now. You simply set your firewall with the interior IP that you want the reports sent to, and it will capture them in a data base form that can be interpreted pretty easily by code reference. I don't remember where I got the code list from; I think they are pretty standard.

santeewelding
santeewelding

I've been checking in with that place forever. Never thought to do what you just said. Thanks, JC. Maybe it will tell me what I don't want to know.

Editor's Picks