An open-door policy invites trouble – at the printer

A hack targeting some 30,000 Internet-connected printers sparked outrage on campus, but may drive increased attention to printer security.
By
Printers may leave you more vulnerable than you think

The downside of ever-wider connectivity is, of course, that if everyone can reach you, anyone can reach you.

Scores of U.S.-based colleges and universities had a harsh reminder of this reality recently, when their networked-but-unsecured printers began to churn out flyers from a neo-Nazi organization that contained racist and anti-Semitic propaganda.

The hacker who claimed responsibility for the attack said he had used simple and widely available tools, including a search engine that identified some 30,000 printers whose port 9100 had been left exposed, and a five-line UNIX script that enabled him to feed the offending content to those devices.

Embarrassed university officials scrambled to condemn the attack, and to tighten controls on how external sources connect to university printers. Perhaps understandably, their focus was on closing the barn door after the proverbial horse had bolted.

But their experience is also a pointed reminder to every organization that has Internet-connected printers, scanners, or MFPs (multi-function printers), about the importance of striking the right balance between availability and security.

 

Public-facing is not always public-friendly

Printers, scanners, and MFPs are indispensable tools in today’s workplace. While there is often a compelling business reason to connect them to the wider world via the Internet, making these devices public-facing carries risks that should not be ignored.

According to David Escalante, Chief Information Security Officer at Boston College (which was not affected by the recent attack), Internet-exposed printers can cause “a surprising range of problems beyond unexpected print-outs from undesired parties,” especially as those devices add functionality.

“It is really important to secure ‘smart’ or ‘multi-function’ printers, as they can be used for a variety of purposes, including sending out faxes that appear to be from you, storing files, and caching documents scanned on the printer,” said Escalante.

The advanced functionality that printers, scanners, and MFPs now deliver – such as capturing documents and automatically routing them, or sending out alerts when they are in need of repair, or upgrading themselves with software patches delivered on the fly – increasingly mirrors the capabilities of a PC or mobile device. This is possible because these devices, like PCs, contain hard drives, embedded firmware, and – crucially – network connections.

As a result, it’s essential to apply to printers, scanners, and MFPs some of the same security practices you now apply to PCs and mobile devices, in order to assure the integrity of documents and document-based workflows. A recent What’s next post details these practices, which include:

  • Require user authentication
  • Centralize the auditing of network activity
  • Encrypt data to and from MFPs
  • Enforce the use of trusted network destinations
  • Implement rules-based printing

More capable and more connected printers, scanners, and MFPs offer compelling advantages in productivity and convenience. All that is required to ensure they are used and not abused are some straightforward security practices, and a little common sense.

Improve MFP security

Discover how Nuance’s comprehensive portfolio of print management, document capture, and mobile workflow solutions can help you gain control over potential security vulnerabilities.

Learn more

Tags: , , ,

Jeff Segarra

About Jeff Segarra

Jeff Segarra is the Senior Director of Product Marketing for the Nuance Document Imaging Division. He is responsible for the global team that delivers industry product positioning, messaging and content to help our customers around the world identify how Nuance solutions can meet their needs. He enjoys speaking and writing about business process improvement, The Internet of Things, document security, document conversion technologies and personal productivity. He has an MBA from Iona College, Hagan School of Business and has been working with software technology for 20 years. Jeff is an original New Yorker and, therefore, a staunch Yankees fan – in the heart of Red Sox nation.