Unseen security risks lurk in the copy room

As an IT admin, you likely spend much time contemplating the security of end-user machines and back-end systems — yet how often do you consider the security risks posed by copy machines and other smart office devices in your office? As noted in recent reports, documents stored on these machines’ internal hard drives can create security risks.

The problem is, today’s office-class multifunction printers, fax machines, and copiers often have very capable computers in them, including memory, hard drives, network interfaces, and software. If you can access your printer/fax/copier using a Web browser, then it is running a Web server (often Apache or some other open source variant).

[ Security vendor McAfee predicted Adobe’s Flash and Acrobat Reader will be the preferred targets for hackers in 2010. | Learn how to secure your systems with Roger Grimes’ Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

How often do you patch your office copiers? Is it even possible, or is all the software in firmware? Apache Web Server 2.2 has had 31 vulnerabilities over the last few years. Most are remotely exploitable. It’s possible for a hacker with network access to your office equipment to exploit and gain control of it. There they can read and copy documents and data, learn email addresses, and gather network logon names, PINs, and passwords.

Beyond just copying sensitive documents, hackers can actually use the computer on printers as their base of operations. There are no security patches or antivirus software to get in the way. As long as the equipment is running a well-known operating system (as is often the case), the hacker can install the normal tools and attack other computers on the network.

A smart enterprise hacker would make sure that every printed, faxed, and copied document was sent to his or her location in duplicate. A savvy hacker could easily learn the names of the company’s top executives and their assistants, and copy only documents associated with those individuals. It would be corporate espionage at its pinnacle.

It’s likely that at least some of your office equipment contains confidential, high-business impact (HBI) data, and I’m sure regulations set by your company, as well as outlined by the industry, require that you protect and often encrypt that data. I shudder to think of how corporate or outside auditors react were they to know how much unprotected HBI data is stored on unmanaged and unpatched office equipment.

But how big is the risk? Risk acceptance varies from company, but my intuition says office equipment in normal business scenarios is low risk for a few reasons, primarily because almost no malicious hackers attack office equipment. There may be the opportunity and vulnerability, but the likelihood of the exploit being used is a big variable in determining risk. To paraphrase security great Bruce Schneier, “[If exploited copy machines] are your biggest worry, then you’re doing better than the rest of us.”

End-user workstations are by far a bigger risk. There’s more of them, and malicious hackers are quite successful at exploiting them. Why turn to hacking the less numerous office equipment if other methods are working well?

Still, it only takes one determined hacker to mess up your risk estimation. Thus, it probably can’t hurt to cover your butt. IT security needs to be aware of the risk and assess the dangers in your environment, create policy mitigations, and have senior management and internal auditors sign off on the solutions and remaining risk.

Policy considerations could include:

• Scan networked office equipment for software vulnerabilities
• Disconnect unneeded network interfaces
• Create a disposal policy that dictates what must be done to old “smart” office equipment before it leaves your company’s premises (wiping the hard drive, clearing memory, clearing logon information, IP addresses, passwords, PINS, and so on)
• When new “smart” office equipment purchases are being considered, find out from the vendor what software the equipment runs and who’s responsibility is to patch it

I can tell you from experience that the copier sales guy has absolutely no clue that a Web server software runs on the copier machine, much less how to secure it. Still, it can’t hurt to ask and get the vendor thinking about security. Who knows? You may get lucky and find a vendor who’s up on the subject and who’ll make the appropriate disposal process a part of the lifecycle contract.

One company, ICSA Labs, has developed a new program to address related risks. Its Network Attached Peripheral Security (NAPS) program focuses on “devices such as printers, faxes, point-of-sale systems and postage machines.” The goal is to verify that a network-attached peripheral device does not introduce any vulnerabilities into the network where it is installed and that the device itself is not vulnerable to exploitation.

Man, our job just gets tougher every day!

This story, “Unseen security risks lurk in the copy room,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.