By Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group
On the 17th, McAfee hosted their May #SecChat, which highlighted the current thinking around the security of embedded devices. I participated (@lkovnat) along with my colleague (@dtallinger) offering our perspectives as it relates to our business. As is typical in security when presented with a new threat, most people’s reactions are to dismiss it or minimize it. That seems to be the case here both on the vendor and customer side.
On the customer side, the thought is that “it’s embedded so it’s probably not a risk,” and on the vendor’s side there is in some cases a deliberate reluctance to address security issues either because of cost, time to market or simple inexperience. The security mavens realize the fallacy and danger of such thinking. But are they overreacting?
In the absence of any clear standards for the security of embedded devices many “securitatis” (think “Illuminati.” Can I be Stephen Colbert and invent new words?) want to test and test and then test some more. Too much of anything probably isn’t good, but the problem is no one can yet say how much is too much, at least not to a standard that is generally accepted in the community. So we have each customer defining their own threshold, which is just not workable in the long term. The smaller, less resourced customers simply can’t afford all that testing, so they are probably forced to accept an inordinate amount of risk. At the other extreme, large enterprises devote many resources to testing and may very likely be achieving diminishing returns on all that work.
What is needed is confidence building between vendors of embedded devices and consumers. The vendors need to show first and foremost that they “understand the problem.” They need to have and publish a security development lifecycle process. They need to participate in conferences and show that they understand the particular nuances of security within the domain of embedded devices. And, of course, they need to deliver the technology and services that back it up.
On the consumer side, customers need to hold vendors accountable in the marketplace for their approach to security. Sure they need to test, but they also need to understand the state of current security standards such as they are and be active in recommending which standards provide a risk level that they can accept. Clearly the thinking around the security of embedded devices is still evolving. The ubiquity of these devices makes the energy being devoted to the problem more than well justified.
What do you think – can we find a happy medium?
Modern mfp devices are too complex these days and as long as the printer is not 100% locked down to the bare essemtials, end users will always be at risk.
The link for http://www.xerox.com/download/security/information-assurance/12720f1-6c536-49fa772aae5c0/cert_WorkCentre77XX_Information_Assurance_Disclosure_Paper.pdf (Apr, 2010) is useful but egrettfully, that document has no mention whatsoever about open and filter ports 5432, 7000, 7007 (see namp below).
So, now I am foced to read http://www.office.xerox.com/multifunction-printer/color-multifunction/workcentre-7755-7765-7775/secu-enus.html.
Regards and KISS :-),
H
PORT STATE SERVICE
80/tcp open http
515/tcp open printer
631/tcp open ipp
5432/tcp filtered postgresql
7000/tcp filtered afs3-fileserver
7007/tcp filtered afs3-bos
9100/tcp open jetdirect
Harry, thanks for your post. I agree printers and mfds are too complex, especially around security, but the devil is in what you mean by “100% locked down”. One person’s 100% is another’s too extreme, while another will say it’s too lax. We haven’t come up with a better way other than to expose the controls and hopefully help the customer choose what is right for them. Sorry for all the extra reading – I hope you found something in there that was useful.