Zscaler finds major security holes in scanners, photocopiers and phones

Attackers are exploiting the browser-based management and configuration tools found in common office appliances to compromise systems and steal data, according to researchers at Zscaler.

The security firm will deliver a presentation a next week's Black Hat conference which shows the ease with which an attacker can exploit web-enabled devices such as scanners, photocopiers and telephony equipment to steal information.

Michael Sutton, vice president of security research at Zscaler, told V3 that in many cases, an attacker can simply scan addresses until a connected device is found and a target selected.

Such devices have little to no security protection, resulting in what Sutton describes as "corporate espionage for dummies".

"There is not really any hacking involved. You just find this device and it is there sitting ready for abuse. This is functionality that was designed so you could use it," he said.

Zscaler found that security components are often unpatched or on their default settings, allowing an attacker to look up passwords and access codes from online support material.

Sutton explained that if an attacker compromised a photocopier, for example, all scanned documents and stored data on the device could be harvested.

"I am literally able to connect to photocopiers for private companies and clearly see documents," he said.

"If you had confidential a document you wouldn't leave it on an employee's desk, but you are practically doing the same thing."