HP Webscan remote access open to abuse?
Zscaler finds fault with default security settings.
Cloud security firm Zscaler claims it has discovered a serious but simple scanner flaw on HP's all-in-one printers.
A document left in the scanner could be accessed by anyone on the internet, it claims.
When the HP Webscan function is enabled, the default setting is for no password protection. This means that anyone who finds the IP address can scan any document left on the scanner platen.
"Whether intentionally set up as such or, more likely, accidentally exposed via a misconfigured network,
there are numerous scanners exposed on the internet, the majority of which are not password protected," wrote Michael Sutton, vice president for security research at Zscaler, in a blog post.
"In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version," he claimed.
Sutton researched deeper by doing targeted Google and Bing searches for exposed printers. His findings from this straw poll were that half of the sample of OfficeJet scanners, usually sold to corporates, were unprotected compared with 64 per cent of Photosmart printers in smaller firms.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
He went on to try remote scanning and ended up with a collection of interesting documents. Examples of signed documents, voting forms, signed cheques, technical reports, and certificates were all harvested in his sweep.
"In researching this blog, I saw cheques, legal documents, completed ballot forms, phone numbers... and my personal favourite, Jim's diploma informing the world that he's now a Certified Mold Inspector - congratulations Jim!" Sutton disclosed.
IT PRO checked the reported flaws and discovered that the unguarded web interfaces also reveal the host and domain names, IP address, default gateway, DNS server, Bluetooth passkeys and the hardware address (MAC). In an act of unsolicited kindness you could also order a new ink cartridge or, if feeling less kind, change the printer's language to Chinese.
"HP considers Webscan to be a useful tool for consumers and small to medium businesses to share information in a fast and convenient manner when used as intended on a secured network," an HP spokesman told IT PRO.
"As a responsible market leader, HP encourages customers that use its products in a network setting to ensure that their network is properly encrypted and network security information is only
provided to trusted parties."