Multi-Function Printers and Security Beyond Compliance

Thursday, October 20, 2011

David Sopata

1156f97fa8f23821bd838fe7d9283d90

So you’re telling me that you did a Penetration Test and all you found was this insecure printer? The fun things that you can find on MPF devices and how it might affect compliance...

Printers, copiers, and fax machines have become more complex over the years.

I find that this is largely due to a Dilbert comic strip character named “The Feature Creep” who would annoyingly want to cram more and more features into a new product line.

These devices are doing more than what they were intended to do while opening additional security risks. Not only do these Multi-Function printers (MFP) scan, copy, fax and print, but now they can send email, host web-based administrative pages, and even tell you when the ink is low.

One of the bigger risks that had been publicized in a CBS TV news broadcast from a while back is the fact that these devices are storing these image files on onboard hard drives.

The news cast showcased some sensitive personal identifiable information (PII) and even sensitive investment reports of a high profile investment firm. Even though some of these security concerns may be trivial, these devices should be addressed.

PCI does not say I need to protect my printers, who cares!

Compliance in many cases is one of the biggest drivers for security. Compliance such as PCI, HIPAA, Sarbanes Oxley, or state privacy laws etc. many not exactly require you to secure your MFPs or other devices but it might be around the corner. Since most organization generally want to do the right thing, it may be required in certain situations to go beyond compliance.

When news stories continually pop up with the subject of sensitive information being breached by recycled copy machines, compliance may one day addressing these types of issues. Since compliance is just not there yet, here are some general questions to ask when trying to understand the criticality of these systems and show some due diligence:

  • Are these devices accessible on the network? If so, how is “Administrative” access controlled?
  • How long are the image files retained on these systems?
  • If the device was compromised could you actually capture sensitive data?
  • If a hard drive fails, does the replacement process follow the normal Standard for securely destroying the disk?
  • What are some of the services enabled on these devices? Is there an administrative website, SNMP client, SMTP server? How about the accounts and passwords of the administrative websites, are they set to default accounts and passwords? 

Ideally if you had answered “No,” or “I don’t know” to these questions more than likely some of the issues may need to be addressed.

My vendors made me do it!

In many cases MFPs and other such devices are quickly configured and are plugged into a network. Normally these devices are not looked at or updated until it is time to get a new one. Unless during its life span it stopped working or started belching fire, additional settings were likely not addressed or disabled.

Vendors try to sell these devices with more features while the customer may not have considered the risks involved. One example of these features is the ability to send faxes or scanned documents through email. This sounds like a good economical feature however internal policy may state that anonymous emails are strictly forbidden.

Now that disgruntled employee has a way to send threatening or harassing emails through the printer to that one person he/she does not like. Additionally in order to even securely wipe the internal hard drive on these devices it may require voiding warranties or service contracts if the only way to securely wipe the hard drive is by totally dismantling the device.

Some vendors are currently taking a proactive approach in implementing security features such as secure deletion of image files after a print job is finished however, there really are no best practices currently developed for MFPs and other devices.

Just like any network appliance these MFPs and other print devices are small computers that are connected to the network. They have memory, storage, processors, and an operating system just like a router or a firewall. Even though these may not be directing critical network traffic or blocking unwanted packets these devices can hold sensitive information.

Before that old printer is finally decommissioned ensure that the hard drive is securely wiped. When looking at your current devices or when the new one is purchased with all the cool features check the settings, you may be surprised at what you will find.

Possibly Related Articles:
15898
General
Information Security
Compliance data destruction Hardware Security Personally Identifiable Information Hard Drives Multi-Function Printers
Post Rating I Like this!
7ca9cf570bb97d22b119f3a70d335ede
Brian Smithson "Feature creep"? Customers ask for document storage, scan-to-email, web admin, etc., and vendors provide it. Show me an IT device that hasn't suffered a similar fate.

That aside, the issues and questions you raise in this article are good. But while most of them apply equally to desktop computers as they do to MFPs, MFPs seem to get more fearmongering news coverage like that CBS report (which, by the way, was seeded buy a guy in Sacramento who makes his living sanitizing MFP disks).

I think there are two reasons why people get so alarmed about MFP security when they first find out that (OMG!) MFPs have computers and memory and hard disks in them:

(1) As you pointed out, too often MFPs have features and services that are not thoughtfully configured when the MFP is installed, and too often they are not looked at or updated after that.

(2) Unlike desktop computers, MFPs are in a sense "ownerless", so there is a human tendency to have an irrational fear of putting your sensitive information on a device that you do not "control". It is similar to being more fearful of commercial air travel than of driving to the airport, even though statistics don't support that fear.

Although your concerns are perfectly valid, the industry has done much more than you have indicated. In addition to adding security features, vendors collaborated on the creation of an IEEE standard for MFP security and on Common Criteria protection profiles for MFPs. These have been around for a few years. For more information about that, visit http://grouper.ieee.org/groups/2600/.
1319228904
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.