Default passwords in network scanners won't plug risk

A recent security warning that networked scanners could expose sensitive corporate data serves as a reminder that businesses should be diligent about the security of all networked devices, such as locking them down using appropriate passwords. However, enforcing default passwords will not resolve the problem, according to an industry observer.

Zscaler's vice president for security research, Michael Sutton, wrote in an Aug. 31 blog post that embedded remote scanning capabilities in "network-aware" scanners can allow users on the network to not only remotely trigger the scan functionality, but also retrieve the scanned image without the need to be physically present at the machine.

Sutton explained: "What many enterprises don't realize is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a Web browser."

To make matters worse, the remote scanning feature is "generally turned on by default with absolutely no security whatsoever", he said, citing Hewlett-Packard's scanners and its Webscan service. HP, he added, displays the password-protection status of scanners which aids malicious external parties.

In a follow-up comment to his blog post, Sutton admitted that properly configured firewalls would eliminate the external threat for such scanners but argued that an administrator password should be "forced out of the box", as firewalls would not solve potential threat from rogue or disgruntled employees.

Disable remote by default
However, not all agree that vendors ought to ship scanners with administrative passwords turned on by default.

Eric Lam, enterprise sales director for Symantec's Asia-Pacific and Japan specialist sales, told ZDNet Asia in an e-mail interview that default passwords should not be implemented as they are "typically never changed and allow hackers an easy entry point".

A more practical solution, Lam said, is to have remote capabilities "disabled by default out of the box". Should organizations wish to enable the remote functionality, they can then implement a complex password during the initial configuration.

"This password should be set by the network administrator, not the vendor or employee setting up the scanner," he said.

To further enhance the security of such scanners, enterprises should disable remote capabilities if these are not required, Lam advised. Most businesses, he said, "would likely not have a need" to share scanned data over their network and, hence, should require employees to physically insert and remove documents from the machines.

"Alternatively, some networked scanners provide mailbox facilities where scan outputs can be stored and retrieved by designated recipients using specific pre-assigned passwords," he added. "This would reduce the possibility of human errors such as selecting a wrong recipient and sending confidential information to the wrong location of e-mail."

At the end of the day, networked scanners are exposed to the same level of threat as any other networked device, Lam pointed out.

"Businesses should be diligent about all devices attached to their network and protect them in accordance with their corporate security policies," he said.

Employees also need to be educated on the security issues involved in using networked scanners, he added. "User awareness is an important factor in preventing data leakage, and employees should be trained on the use of network devices and encouraged to adhere to company policies [to] avoid exposure of sensitive and confidential information."