Printer Vulnerabilities Exposed
WHEN PEOPLE THINK of IT security, printers are rarely top of mind. But they should certainly be on the list of concerns. Printers can be a source of a company’s most timely information, says Gartner Group Research vice president Ken Weilerstein. And that proprietary information resides within the printer long after it’s been reproduced.
The days when printers were just dumb devices are long gone, says Michael Howard, a Hewlett-Packard worldwide business development manager, who speaks on the topic at security conferences. Printers store materials in internal memory. Moreover, these machines are taking on computer-like characteristics, replete with routers and servers. As a result, security vulnerabilities can range from network sniffing to possible hacking attempts.
While many organizations have firewall protection, many don’t, he says. In addition, organizations frequently neglect to change the printer password. That reduces the barriers to hacking. With some knowledge about an individual machine, a hacker could change router configurations by accessing the router’s homepage.
Once the hacker is in, he can, for example, reroute documents. At one HP-serviced university, students successfully rerouted information from an academic department’s printer. They were able to print out documents in their dorm room before resending the information to the printer. That tactic enabled them to get some of the exams beforehand.
Another major area of vulnerability is hardware, specifically hard drives. Vulnerable to theft, they can also be read during repair or after being gifted to a school.
Multifunctional printers, particularly those with a fax, have also caused concern. “I think this fear dates partly back to when the Internet was mainly dial-up,” says Weilerstein. But it caused enough concern that several federal agencies banned printer/fax-combined machines.
Most important is “getting control of the device fleet,” Howard notes. For larger organizations, HP offers something called Web Jetadmin, which can centrally manage devices. Administrators can push out updates and standardize features.
In addition, the organization should not just leave data to endlessly reside on printers. Some of this data will fall under legal protections for personal data. Other data will merit protection because it is proprietary.
“Based on the nature of the information, you might want to clean [hard drives] regularly, such as monthly or weekly,” says Howard. All HP devices have full-disk erase capabilities and meet Defense Department standards for overwriting.
A final security consideration is job-level tracking to avoid abuse and to contain costs. Many printers come with PIN and smart card readers, which can help with access control and job tracking.
Companies should consider the security features of printers before they buy them. One question could be whether the company can remove and retain the hard drive before a printer is serviced. More cumbersome and expensive features, such as encrypting printing data on the network, should probably only be considered after a firm has “established a clear need,” says Howard.