Michael Sutton tells the audience how to secure devices such as scanners, copiers and fax machines. Photo by Chris Taggart

Whenever you fax or copy or scan a piece of paper, you could be electronically releasing it to the world, according to an expert who spoke at Fordham about the unguarded Internet connections built into all sorts of everyday devices.

Even your voice mail messages could be downloaded if they’re spoken over a voice-over-Internet phone system that’s not secured, said Michael Sutton, vice president at Zscaler Cloud Security, on Jan. 12 at the third annual International Conference on Cyber Security.

More and more often, hardware manufacturers have “baked” the Internet into their devices without also adding the security, he said. Examples include photocopiers, printers and scanners, but also Blu-ray players, baby monitors, webcams, video conferencing systems, security systems, network-attached storage, and heating, ventilation and air conditioning systems.

“It is becoming the rule, as opposed to the exception, to be Internet-connected. It’s seen as the differentiator,” he said. “It’s seen as the ‘next-gen’ thing. And sometimes it’s great. It’s a really powerful capability, but very often there’s been no conversation about security before this is done.”

In his presentation, he frequently spoke of attackers, not hackers, underscoring the point that devices are often completely exposed to the Internet and don’t need to be hacked. His presentation was titled “Corporate Espionage for Dummies.”

“All the information that I was able to access was all done on [a]web browser. It was all done on publicly accessible devices,” said Sutton, who is vice president of security research at Zscaler, based in Sunnyvale, Calif.

Focusing on one manufacturer, he found 125,000 printers and scanners “totally exposed to the web.” While some were password-protected, the passwords were defaults, “so they’re not even really protected at all,” he said.

An attacker could access a fax machine, plug in his fax number, and automatically receive a copy of every fax it receives. He also noted that some photocopiers can create an archive of everything copied over a long period, or store every copied document at a remote location.

“If that’s unsecured, that’s a gold mine,” Sutton said. “It’s advertised as kind of an administration function so that you have a backup of everything. Well, that’s great, unless your backup is stored at the hacker’s site.”

He showed how one brand of photocopier is exposed to the web with no passwords, making it “trivially easy” for an attacker to grab its documents, he said. “If you can use a web browser, you can do this as an attacker.”

Also, he said, an attacker could download documents that were left behind on a scanner, or write a program to check for newly scanned documents every second.

To illustrate, he showed a variety of documents—with identifying information blacked out—turned up by a search of scanners. They included technical reports, signed checks, and a document showing that someone named Jim has become a certified mold inspector.

From an attacker’s perspective, he said, “It’s a public web server. There is nothing warning me that this is private data. How do I know they don’t want me to push the scanner button?”

While it’s provocative to think of a scanner being accessed by an attacker on the other side of the world, the greater risk is found within an organization, he said. “Every employee in that enterprise, every contractor, every desk that gets on the network, can also access that scanner. And that, in my opinion, is actually the far greater threat, even though the external one is a little bit more exciting.”

He called for new thinking about web-enabled hardware. “When was the last time you (penetration-tested) your photocopier? Probably never, right? But we need to change our mindset, because that is critical data.”

“You need to be treating these web servers no differently than any other,” he said. “Before you plug that ethernet cable into the back, harden that device. You need to be penetration-testing that device on a regular basis, because things change. Somebody could change a configuration [so that]something that wasn’t exposed yesterday is exposed today.”

“We plug these things in, we leave them, and we forget about them,” he said. “We need to be patching them, we need to be upgrading them. If your photocopier can’t be upgraded, sorry, you’ve got to throw it in the garbage and get one that can, because otherwise you’re opening up a big security vulnerability.”