Printer vulnerabilities pose data security questions
The recent reports on HP printer vulnerabilities brought into focus the IT peripheral security on the main stream. It is reported one in every four HP LaserJet printers is still vulnerable to hacking, being infected with malware and then potentially bursting into flames because people do not bother to update the firmware. Earlier, at vulnerability was discovered in the hard-coded admin account of Samsung and some Dell printers that could be remotely exploited as a backdoor. Some time ago, Printer manufacturer Xerox has issued a security patch for several models of its WorkCentre multifunction devices in order to address a critical buffer overflow vulnerability.
Like any other devices, network printers could potentially be an IT nightmare. Printers can be a source of a company’s most timely information, says Gartner Group Research vice president Ken Weilerstein. And that proprietary information resides within the printer long after it’s been reproduced. Some of this data will fall under legal protections for personal data. Other data will merit protection because it is proprietary.
Security has not been taken seriously for printers and photocopiers despite the fact that they have been “vulnerable to hack” for years and increasingly becoming smarter and connected to the Internet. Multiple attacks are possible now including gaining access to sensitive data for corporate espionage or identity theft, transmission of fake and misleading print jobs & faxes, eavesdropping on network traffic, launching a denial of service (DoS) attack, remotely tampering printer’s settings & making unauthorized changes to the configuration and so on. Attacks against printers, although believed to be mostly theoretical, are not unheard of. Most of the current day printers are already full-blown computers with some flavor of OS (VxWorks, LynxOS, Nucleus, Linux), embedded Java VM, Web-server Ethernet WiFi, hard disk, fax board, mailboxes and interact with (potentially have access to) RFID badges of employees/users, smart/swipe cards, fingerprints, PINs, LDAP/domain passwords etc !!!
Understand the vulnerabilities printers and photocopiers pose to your company’s information security. Have a security policy in place. Ensure proper patching and configuration of these devices. Ask few simple questions while reviewing the printer security:
- Are all default settings are changed and all passwords turned on and unused protocols turned off?
- Do unauthorized individuals have access to your sensitive data?
- Do you have a printer access policy is in place and implemented properly?
- Are sensitive documents and data remaining in your printer’s memory? If yes, who can access that?
- Do all employees have unlimited access to all printing technology? Is there a need to know/access policy in place to control uncontrolled and unmonitored device usage?
- Are sensitive documents frequently printed and then left unattended at devices? What is the time lag between printing and collecting?
- Is there a job-level tracking policy to know what is being printed and a process to review the same?
- Whether the security features of printers were considered before purchase?
- Are hard drives were removed and retained when the printer is serviced or disposed?
In addition, the network security review also should keep the printers in consideration to ensure proper security features like encryption is in place.