By Larry Kovnat, Senior Manager of Product Security, Xerox
You don’t have to be a techie to notice cybersecurity and IT security stories are all over the news recently. Two really captured my attention this week because they raised concerns about the security of networked devices, such as printers and MFPs.
The first one was written by Michael Chertoff, the former Secretary of Homeland Security, and it focuses on how employees can go a long way in keeping the network safe. He points out that most attacks and intrusions don’t come from people outside the network, but rather are actually a consequence of things people within the organization do “negligently or intentionally.” Thumb drives illustrate his point – he says he throws thumb drives in the garbage because using one he’s been given (i.e., at a conference) “is like eating food that you found on the floor.” He also mentions that there was a study done where thumb drives were scattered in a parking lot and 50 percent were picked up and used.
Furthering that point check out the findings from a recent Xerox-McAfee study. These are eye-opening numbers when you consider what’s at stake. In my opinion, another overlooked problem of negligence is simply forgetting to pick up documents left in the office MFP’s output tray – something that’s as easily avoidable as not sticking that random thumb drive into your work computer.
The other topic keeping my attention last week was a study done by ViaForensics researcher Sebastian Guerrero focusing on the HP-designed JetDirect software and how it can potentially lead to hacker attacks on networked MFPs. It was covered by both InformationWeek and PC Mag. Interestingly, the articles focused too much on the “JetDirect” port (which is an industry standard used by many manufacturers including Xerox), when it really comes down to how the protocol is implemented within the printer. Depending on which products the researcher scanned, he was able to successfully do some of the authentication bypass or other attacks mentioned. To my eye, the article implied that the protocol was vulnerable, which is a little unfair – what’s really going on is a flaw in the implementation of the protocol on the printer side. This is certainly something Xerox watches out for and I’m confident that our implementations have designed out these bypass vulnerabilities.
It is probably possible to cause some denial of service issues on some printers, but in the case of Xerox printers and MFPs, if the job stream is corrupted in some way, we’ve put enough traps in the software so that the job is just aborted without crashing the printer. The writer does raise an interesting point within the PC Mag article about print queues and it’s true that if the printer infrastructure uses a print server, then the job queue and data will be buffered at the server before it’s sent on to the printer. However, the article implies that all job data in print servers is vulnerable, and that’s a gross overstatement. For example, all of our products have internal print servers, and the image and job queue data is all protected with encryption, access controls, and image overwrite.
So did you happen to read any of these articles last week? Let us know in the comments below.