Multifunction Printer/Scanner Security Issue Discovered

On September 7th, 2022, a client notified me that they were getting a new multifunction printer/scanner/copier the next day. I remoted into their network to check the SMTP settings for Scan-to-Email function, and discovered the previous copier company had set it up using a third-party service SendGrid (which in and of itself isn’t an issue). But I didn’t recognize the email domain used, so looked it up.

The domain expired in May, and seeing that it could be a useful one in the future, I purchased the domain, set it up as an alias domain of mine (this one), and set up email in the same way, but added a filter so that all email to that domain would go to a folder and skip the inbox.

Within a couple of hours I discovered the issue, because that folder began receiving a significant amount of email: copiers set up in the way that the copier company set them up was not only sending the Scan-to-Email scans to their intended recipients, but also to the email address they used in conjunction with the set up. Any Reply-to-All responses also were received.

Why is this a concern? It means that for as long as the copier company used that way of setting up SMTP, they’ve potentially been receiving copies of everything your organization has sent up until the domain expired, as I now am.

I’ve reached out to the copier company.

From a security perspective, those scans should ideally be sending via your own email system, or if having to use a third-party service, should be through one of your own so that your organization maintains control over those scans.

Screenshots showing the settings and emails used on client’s multifunction (click to enlarge)

If you have a multifunction printer, PLEASE have your IT provider check the SMTP settings.

To know if this affects you, when you do a Scan-toEmail, does the email address of the scan come across as [something]@nwghelpdesk.com? If it does, this applies to you.

I can be contacted at xeroxissue@itserviceworks.com

 

Edit, 10/17:
Due to lack of candor and/or willingness to address the security issue discovery that I brought to Xerox in good faith without request or demand, the domain has been sold to another entity.

To be abundantly clear: the domain itself was never the security concern: it only allowed the discovery.

The issue is the SMTP configuration used by QBSI and CTX on some of the MFCs that allows for scans from those machines to be sent outside of the purview and control of the sender and recipient. Considering some of those MFCs are scanning and sending protected health information or potentially confidential or sensitive information, this is a major concern. But even more fundamentally, it betrays the trust users of those MFCs have that the scans they send are received by the person or organization they send to, and no others.

Xerox’s own Code of Business Conduct (published here), under the section Safeguarding and Using Customer Information, states:

We respect and are committed to safeguarding the confidentiality, data privacy, and security of information that our customers have entrusted to us, including confidential information, personally identifiable information, proprietary information, and trade secrets. We exercise appropriate care at all times to prevent unauthorized disclosure and use of customer information. We take our responsibilities for customer confidentiality, data privacy, and security seriously and implement appropriate safeguards for the use and handling of this information in accordance with our information security and privacy policies, and in accordance with all applicable laws.

The configurations discovered clearly violate that section, and perhaps even more importantly, the lack of willingness to address the issue once it was made known, violates it even further.

Edit, 10/21: posted about the examples of communication issues with Xerox here.