Plugging the printer security loophole
Fuji Xerox New Zealand solutions architect Ross Wilkinson explains the vulnerability of office printers and MFDs to online attack, and how to successfully address the risk. Your company’s office network security is only as good as the weakest link. Attackers will test every loophole. They might know you’ve got valuable data stored somewhere or that […]
Fuji Xerox New Zealand solutions architect Ross Wilkinson explains the vulnerability of office printers and MFDs to online attack, and how to successfully address the risk.
Your company’s office network security is only as good as the weakest link. Attackers will test every loophole. They might know you’ve got valuable data stored somewhere or that you will be willing to pay Bitcoin for a cyber ransom, if only they can break through your defences.
The attackers might be online vandals wanting to wreak havoc for fun or they might have a sinister intent – such as using your technology to launch a future botnet attack.
The way this game works is that teams of attackers scour the Internet looking for low-hanging fruit. They will attack the most vulnerable first. Your job is to ensure you are not low-hanging fruit. That means plugging all the security gaps.
One gap that many businesses overlook is the office printer or multifunction device (MFD); the latter is a printer that combines a scanner, copier, fax and other capabilities in a single box. It is something most people only pay attention to when it needs reloading with paper or toner, or fixing.
Fuji Xerox New Zealand solutions architect Ross Wilkinson says network printers and multifunction devices are an ‘identified attack vector’. That’s security professional jargon for a route online criminals can use to burrow their way into your systems.
He says: “Modern MFDs are, in effect, computer servers on the network. There’s a computer inside, in many cases, there is also a hard drive and communications hardware.”
Printers and MFDs are vulnerable in another way; most business-critical information passes through them. Attackers can eavesdrop on the material passing through the device.
Early in 2018 details emerged of a threat known as faxploit. Here, all an attacker needs to compromise the device is the fax number. That’s not hard to find. Companies that use faxes often publish the numbers so people can contact them.
Of course, many modern New Zealand businesses no longer use faxes, but the technology is still common in some industry sectors. The fact that it is largely forgotten about only adds to the danger because criminals have not forgotten about it.
Faxploit works because there are vulnerabilities in the fax communication protocols which were established long before computer networks were common. Wilkinson says an attacker armed with the device’s fax number could take over and control the device.
He says: “A modern MFD would have access to send emails and also to send to file servers on the network. There would be firewall rules set in the network to allow that to happen. That means the firewall rules are, in effect, open to a malicious person pretending to be an MFD. They might not have access to users’ names and passwords, it all depends on how well the network infrastructure is locked down.”
If, say, an attacker got access to the device’s hard drive, then he or she could have access to any of the documents that had been sent to be printed, scanned or emailed.
Wilkinson says there is software available online that allows someone to inspect all the files stored on a printer hard drive. He says you can avoid this problem if you set up the device to encrypt the hard drive. It’s also good practice to not leave old documents stored on the drive.
“Turn on a three pass overwrite. This means that any inflight data is wiped over after it is used. This digital shredder feature is now available on modern MFDs, but it needs to be turned on in the device settings,” he says.
Learning how to use device settings is the first step towards making it secure. Wilkinson says security only secures if you use it. He says it is like the settings on your mobile phone – you don’t have to set up a password or fingerprint, you can just leave it. It’s your decision.
“Understanding the settings goes a long way toward the basics of making it secure. If you’re not particularly IT savvy, printer settings have probably not crossed your mind.”
In the past botnets and similar attacks were a risk. If an attacker could gain access to a device they could install their own code and remote trigger it later. Wilkinson says this is less of a risk today because printer makers like Fuji Xerox now sign their code. In the past machines would accept any firmware as good and trusted. Now machines have to check the firmware is valid and from a valid source before allowing it.
Another aspect of MFD security is to lock down physical access to the device. Companies often install them in their reception area, which is public and not necessarily covered at all times. Criminals can walk in off the street, lift the printer cover and remove documents or install or download software using a USB key.
Wilkinson suggests not leaving printers open and available. He says it’s also good practice to insist on people using passwords to send jobs to the device and to release jobs from it. That way someone can’t walk up and see information they shouldn’t.
This may seem trivial, but the risk is real. Wilkinson says; “About 80 percent of security incidents are triggered by intentional or unintentional information leakage; half of those involve documents.”
For customers at the big end of town, Fuji Xerox has the Smartwork Innovation Group – it’s the company’s consulting arm. It will work with a customer, understanding the business and the needs for printers and similar devices, then advising on strategy.
Wilkinson says security is now a frequent topic of discussion with customers. “It is much more of a concern than in the past. These days it even comes up in the pre-sales conversations we have with clients. They want to know about security while documents are in transit, and then how to delete all traces after they’ve been dealt with. There are a whole bunch of software solutions that do that and tools like secure printing and follow-me printing (that’s when you set the printer to produce the document when you are next to it).”
He says smaller businesses don’t tend to have in-house IT people, instead, they rent help by the hour, paying them to install and set up by the hour. He suggests it would make a lot of sense to have a network printer security conversation with that service provider.