Multifunction Printer/Scanner Security Issue Discovered

On September 7th, 2022, a client notified me that they were getting a new multifunction printer/scanner/copier the next day. I remoted into their network to check the SMTP settings for Scan-to-Email function, and discovered the previous copier company had set it up using a third-party service SendGrid (which in and of itself isn’t an issue). But I didn’t recognize the email domain used, so looked it up.

The domain expired in May, and seeing that it could be a useful one in the future, I purchased the domain, set it up as an alias domain of mine (this one), and set up email in the same way, but added a filter so that all email to that domain would go to a folder and skip the inbox.

Within a couple of hours I discovered the issue, because that folder began receiving a significant amount of email: copiers set up in the way that the copier company set them up was not only sending the Scan-to-Email scans to their intended recipients, but also to the email address they used in conjunction with the set up. Any Reply-to-All responses also were received.

Why is this a concern? It means that for as long as the copier company used that way of setting up SMTP, they’ve potentially been receiving copies of everything your organization has sent up until the domain expired, as I now am.

I’ve reached out to the copier company via their website and Facebook, but have yet to get a response.

From a security perspective, those scans should ideally be sending via your own email system, or if having to use a third-party service, should be through one of your own so that your organization maintains control over those scans.

Screenshots showing the settings and emails used on client’s multifunction (click to enlarge)

If you have a multifunction Xerox through QBSI (WA) or CTX (OR), PLEASE have your IT provider check the SMTP settings.

To know if this affects you, when you do a Scan-toEmail, does the email address of the scan come across as [something]@nwghelpdesk.com? If it does, this applies to you.

I can be contacted here, with preference on email.

—–

Edit, 9/9: configuration issue is not limited to Xerox machines…have received scans from HP and Konica Minolta multifunction machines as well.

Edit, 9/9: after not hearing back from QBSI or CTX, was able to get client’s (now former) sales rep’s email, and sent info to him to pass along as well. Thus far, no response.

Edit, 9/9: finally able to get in touch with someone from QBSI, and they are forwarding the info up the chain.

Edit, 9/10: email from QBSI service sales manager, including a Vice President in the loop, that they’ll review the information and respond.

Edit, 9/11: had a good email exchange with the VP late last night. Appears they are taking the issue seriously.

Edit, 9/13: email from VP that issue has been resolved and inquiring about regaining ownership of domain.

Edit, 9/13: have received additional scans since email that issue was resolved, so clearly it is not.

Edit, 9/14: stats for yesterday when emailed that issue was resolved: 42 emails received, 28 of which had PDF scan attachments from their clients.

Edit, 9/14: because of the email from the VP on the 13th that stated the issue was resolved (and I received the largest daily volume that day), I wasn’t confident that the issue was being taken seriously, so contact the Xerox HQ about the issue under their Ethics and Compliance program.

Edit, 9/15: stats for 9/14 are 19 emails received, 10 of which included PDF scan attachments.

Edit, 9/15: tentative offer has been made. Emails and scans are still being received, however.

Edit, 9/16: rather than track received emails, I’m tallying them here. (Google Sheet)