back caretBlog

Scanning for DNS

Large national retailer uncovers potential exposure via grocery scanners

Most people don't think of Big Box stores as technology centers. Brick-and-mortar retail is filled with aisles and carts and lines and people manning registers. But in reality, every store has become its own digital microcosm. Point-of-sale (POS) systems, inventory management tools, security cameras, and increasingly, in-store digital experiences—a trend known as "smart supermarkets" that include both smart carts and smart shelves that automatically track items for purchase.

Recently, a member of the ExtraHop customer success team was doing remote training with a large retail customer in North America. The retailer is your traditional Big Box store. They sell it all—groceries, clothing, toys, hardware, furniture. And they have a large footprint on the order of several thousand stores.

During the training, the security team asked to look at a view of an individual store to see what would come up. They chose a random store, and immediately started to see DNS lookups for a hostname that looked eerily like a model number: SCAN3500—and there was no domain, like '' or '.local'—just that hostname. This immediately jumped out as odd. Usually lookups are (just replace 'www' with 'machine name'). Just seeing 'machine' without the domain might be okay at home, but it has no place in any real-world network.

After a moment of head-scratching, one of the trainees chimed in with, "I think that's a scanner."

Sure enough, a quick web search for 'SCAN3500 scanner' confirmed that the device in question was indeed a digital grocery scanner widely used in Big Box retail. Now the question was, "what else is the scanner doing?"

A search of records in Reveal(x) found that this same scanner was reaching out at 1 AM local time every night to what looks like the Linux update infrastructure.

"Wait, the scanners run Linux?" remarked one incredulous analyst.

Another web search confirmed that, yes, the scanners run Linux. It also confirmed that this particular model of scanner was an end-of-life product which the manufacturer was no longer updating. An end-of-life product attempting to update itself can become a beacon for threat actors, announcing a point of entry that's likely running out-of-date software and thus vulnerable to compromise. Now imagine the nightmare of having one or more of those in every one of your stores.

On February 4, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a brief on the recently disclosed exploitation of Accellion file transfer appliances. In the report CISA explicitly mentions the following under 'Mitigations':

Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing. [ . . . ] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Whether it's a file transfer appliance, a grocery scanner, or a medical device, end-of-life devices introduce cyber risk into the IT environment.

This kicked off several areas of investigation to determine the scope of the vulnerability. The security team immediately began working to determine whether this extended beyond one store and one scanner. If a company-wide misconfiguration left the scanners attempting to update themselves, it could easily lead to a configuration management nightmare with different scanners running different levels of software.

They also started looking into whether the DNS lookup for 'SCAN3500' is a default setting. If so, it would indicate that some scanners weren't properly deployed and are still using default settings, which can include default credentials that are exceptionally vulnerable to hacking.

The security team also had to reckon with the broader issue that these seemingly benign grocery scanners run Linux. As such, they meet all the requirements for an easily exploitable pivot point: they are connected to the outside world, connected to the inside network, have plenty of storage, have sufficient compute power, and most importantly, they are usually unmonitored. Pivot points that meet these requirements are ideal launch points for a broader attack, including things like payload slicing, credential stuffing, and kerberoasting.

All food puns intended.

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed