HP WebScan Feature Can Expose Scanned Documents

Security researchers at Zscaler say many organizations are leaving themselves open to corporate espionage via the WebScan feature included in HP's all-in-one printers.

Research from Zscaler has exposed how a feature in Hewlett-Packard's all-in-one printers can be abused remotely to steal scanned documents.

The feature, WebScan, allows users to remotely scan a document and have an image of the document sent from the scanner to their Web browser.

Unfortunately, Zscaler found that oftentimes this functionality is not password-protected and is enabled by default. During the past two weeks, Zscaler said Aug. 31, the company turned up a number of different documents on third-party scanners-including a signed check and a voting document.

HP did not respond to a request for comment in time for publication. However, Zscaler Vice President of Security Research Michael Sutton said through scanners corporations are potentially left open to the risk of leaking confidential data.

"With limited effort, within a few hours, we were able to find dozens of exposed scanners simply using Google [and] Bing queries," Sutton said. "Given the popularity of HP hardware and the fact that WebScan-like functionality has been embedded in many HP servers for years, it's reasonable to assume that the actual number [of HP scanners accessible over the Web] is quite high."

Sutton said in a blog post Aug. 31, "What many enterprises don't realize is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and ... scan and retrieve" any document left behind. In an internal threat, a "disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document," he said.

"From the perspective of an external threat, it isn't difficult to know who owns the IP address or domain name that the scanner is hosted on," Sutton said. "In general, an attacker would know exactly where the document was coming from. Enterprises can either password-protect the WebScan functionality or disable the Web interface altogether so that the scanner is not remotely accessible."

By default, the scanner has a Web interface enabled, he continued.

"Simply surfing to the IP address of [the] scanner will expose the Web interface and the WebScan functionality," he said. "The blog [post] includes a simple Perl script that can be used to scan the LAN to see if any HP devices are running Web servers."

In the same post, Sutton noted, "HP kindly lets you know on the home page if sensitive functionality is password-protected by displaying the Admin Password status alongside other status information such as printer ink levels ... [Zscaler's research found] there was a greater likelihood that HP Photosmart scanners were not locked down as opposed to Officejet scanners." Sutton attributed the difference to Officejet scanners being mostly "marketed to corporate users."

He advised, "While WebScan does provide a convenient means of obtaining a digital copy of a scanned document, this same goal could certainly be accomplished without exposing the scanner to anyone in the office. If enabled, enterprises should ensure that the feature is password-protected so that it cannot be accessed by unauthorized personnel."