Almost anything can be hacked—even seemingly benign office tools such as printers and scanners, according to Michael Sutton, vice president of security research at Zscaler.
In a presentation at Black Hat USA in Las Vegas, Sutton said that extracting data from physical hardware devices used to require a copious amount of effort and skill for hackers, but modern hardware devices equipped with embedded Web servers make that feat a lot easier.
"For ease of use, they’re building these devices with an embedded Web server. That’s great from a functionality perspective," Sutton said in an interview with CRN. "But from a security perspective, it should be treated no differently than any other Web server.”
Like any other Web-facing device, the embedded Web servers in printers and scanners enable easy access for remote hackers attempting to obtain data, mainly due to misconfiguration and lack of basic security implementations such as passwords, Sutton said.
“Tens of thousands of these devices are accessible on the Web, and pose some significant threats,” Sutton said.
One such device is a printer, which contains embedded Web servers designed to retrieve a digital copy of everything previously scanned.
Throughout the course of his research, Sutton was able to connect to random organisations which enabled him to view and retrieve documents. Ostensibly, a malicious hacker or insider, could view sensitive documents or customer data from a desktop, especially if they knew what was being copied.
“The copier actually archives recent items,” Sutton said. “There doesn’t have to be anything [like copying] happening at the time, just the last 20 to 50 documents that went through that machine.”
Sutton said that most organisations need to implement basic security mechanisms, such as password protection, while regularly updating the firmware with the latest patches. In addition, printers should be incorporated as part of the organisation’s security audits.
"Like any other Web server, it should be part of your patch management process, Sutton said. "And whether it’s the Internet or intranet, the hardware appliance needs to be included in that audit."
In addition, Sutton also researched HP scanners, and found that they, like printers, could also be mined for data.
Most modern scanners contain a functionality called a Web scan, although Sutton added that most users “don’t truly understand the real value” of a Web server in the device. In fact, most Web-enabled scanners end up becoming Web-connected due to misconfiguration.
“Why would someone realistically put their scanner on the Web?” he said. “A scanner is a physical device. You have to walk over to it to scan anything. Why do I need to run that from my Web browser?”
The threat of attack is mitigated somewhat by the fact that a hack could only occur as soon as a user scans a document, or if he or she leaves a document in the scanner unintentionally. While it might be challenging, if not impossible for a remote hacker to know when that occurs, malicious insiders could potentially execute a hack if they knew the moment a sensitive document was being scanned, Sutton said.
Also during his presentation, Sutton pointed out that the same kinds of attacks could be executed on phone systems that allows hackers to “flick a switch and capture phone calls.”
“The hardware industry is about a decade behind the software industry when it comes to security,” Sutton said. "A hardware device has historically been a black box. Not that they’re doing things like embedding web servers, it is more like the software industry, and a more juicy target for an attacker.”