E-mail security for scanner devices to e-mail?

Jason Meyer · ‎10-23-2013

What are people's thoughts on security for devices that are setup to scan to e-mail? I can do a packet trace on a typed e-mail and capture some information, but what about scanned documents? A .pdf file looks like gibberish to me with WireShark, but I'm not a hacker. Could sensitive information be pulled from the scanned document when e-mailed over an unencrypted connection?

I realize the TO/FROM/Subject/Date/Time would be visible, but what about the contents of the scanned image? Can someone pull the information and feed it into a file and rebuild the document?

Reason I'm asking, I have a device that will be scanning documents that doesn't have TLS capabilities. Is this a security risk? Running on an external network?

Jason

David Miller · ‎10-24-2013

If you can capture the SMTP traffic it is a fairly trivial task to reconstruct the data part of that (MIME) and extract any attachments like PDFs, so if the PDF itself is not encrypted, you could view the PDF including any scanned images it contains. As SMTP travels over the Internet in clear text, unless you use TLS (Extended SMTP), you have a security risk.

If you want to email sensitive documents you need to encrypt them in some way, either encrypt the document (e.g. Winzip, PGP) or the email (e.g. PXE, S/MIME) or the email traffic (e.g. TLS).