What your multi-function printer knows can hurt you
You did a penetration test and all you found was this insecure printer - LAME!
by David Sopata, SecureState - Printers, copiers, and fax machines have become more complex over the years. I find that this is largely due to a Dilbert comic strip character named "The Feature Creep" who would annoyingly want to cram more and more features into a new product line.
[ See also: 10 Tips for Safer Browsing: Supercookies and New Dangers ]
These devices are doing more than what they were intended to do while opening additional security risks. Not only do these Multi-Function printers (MFP) scan, copy, fax and print, but now they can send email, host web-based administrative pages, and even tell you when the ink is low. One of the bigger risks that had been publicized in a recent CBS TV news broadcast is the fact that these devices are storing these image files on onboard hard drives. The news cast showcased some sensitive personal identifiable information and even sensitive investment reports of a high-profile investment firm. Even though some of these security concerns may be trivial, these risks should be addressed.
PCI does not say I need to protect my printers; who cares?!
Compliance in many cases is one of the biggest drivers of security. Compliance with such standards/laws as PCI, HIPAA, Sarbanes Oxley, or state privacy laws, etc. may not exactly require you to secure your MFPs or other such devices, but that situation might be right around the corner. Since most organizations generally want to do the right thing, it may be required in certain situations to go beyond compliance. When news stories continually pop up covering the subject of sensitive information being breached by recycled copy machines, compliance may one day address these types of issues. Since compliance is just not at that point yet, here are some general questions to ask when trying to understand the criticality of these systems and to show some due diligence:
- Are these devices accessible on the network? If so, how is "Administrative" access controlled?
- How long are the image files retained on these systems?
- If the device was compromised, could the organization actually capture sensitive data?
- If a hard drive fails, does the replacement process follow the normal Standard for securely destroying the disk?
- What are some of the services enabled on these devices? Is there an administrative website, SNMP client, or SMTP server? How about the accounts and passwords of the administrative websites; are they set to default accounts and passwords?
If you answered "No" or "I don't know" to these questions, some of the issues more than likely need to be addressed.
My vendors made me do it!
In many cases MFPs and other such devices are quickly configured and are plugged into a network. Normally these devices are not looked at or updated until it is time to get a new one. Unless during its life span it stopped working or started belching fire, additional settings were likely not addressed or disabled. Vendors try to sell these devices with more features while the customer may not have considered the risks involved.
One example of these features is the ability to send faxes or scanned documents through email. This sounds like a good economical feature; however, internal policy may state that anonymous emails are strictly forbidden. Now that disgruntled employee has a way to send threatening or harassing emails through the printer to that one person he does not like. Additionally, in order to even securely wipe the internal hard drive on these devices, it may require voiding warranties or service contracts if the only way to securely wipe the hard drive is by totally dismantling the device. Some vendors are currently taking a proactive approach to implementing security features such as secure deletion of image files after a print job is finished, but there really are no best practices currently developed for MFPs and other such devices.
Just like any network appliance, these MFPs and other print devices are small computers that have full-fledged web servers and are connected to the network. They have memory, storage, processors, and an operating system just like a router or a firewall. Even though they may not be directing critical network traffic or blocking unwanted packets, these devices can hold sensitive information. Before that old printer is finally decommissioned, ensure that the hard drive is securely wiped. When looking at your current devices or when the new one is purchased with all the cool features, check the settings. You may be surprised at what you find.
David Sopata is a consultant at SecureState for the Audit and Compliance group. Mr. Sopata has both led and participated in dozens of engagements ranging from audit activities including SAS70, COBIT general controls, Sarbanes-Oxley (SOX), North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), Payment Card Industry (PCI); to technical assessments including vulnerability assessments, attack and penetration testing, war-dialing, war-driving, social engineering, and physical access.
See more security tips from SecureState:
Simple steps for smartphone security
PCI DSS: 4 things to expect in the new version
Best time to perform PCI compliance activities
15 must-listen podcasts for security pros