After my first story on the subject of printer hacking I got a lot of e-mail with printer security horror stories. I ended on a note of skepticism that truly its a significant problem and thats still how I feel. I also get the sense, just as with computers, the newer ones are safer than the older ones.
This article about Konica Minoltas latest MFP gives you an idea of what some printer vendors are doing about security. MFPs (multi-function printers) are becoming more popular in the enterprise (or so the printer vendors tell me) and they raise a number of special security issues that dont apply to print-only printers.
I had an interesting conversation with Randy Cusick, a technical marketing manager at Xerox who has dealt with these matters, especially with respect to MFPs. These are, of course, printers with other functions built around them, and these other functions bring their own potential for vulnerability.
Some of the potential for vulnerability is relatively obvious, such as physical authentication of users at the device. Thus the Konica Minolta units with biometric authentication, for example. And at that point you need to define different user capabilities and manage them; not all users should be able to change printer settings, such as the e-mail address to which alerts are sent. Cusick cited an FBI/Computer Security Institute report saying that more than half of attacks on corporate nets came from an internal source, and an MFP could certainly be such a source.
Konica isnt the only company whose new products are better at this sort of thing than their old ones. Old high-end printers might have been UNIX boxes with FTP still installed, but the new ones are likely to have run through serious security evaluations. For what its worth, many Xerox products have received Common Criteria Certification.
Another important capability is management. Products from big companies are likely to come with SNMP MIBs, and many have their own network management tools as well. HPs Web Jetadmin software allows what they call "fleet management" and includes many security-related features like authentication.
Cusick noted that the early concerns they heard in this area came from government, as they often do. Extreme physical security measures, such as built-in hard-drive wiping, are now widely available in printers from Xerox and others to address some of their concerns. Xerox actually has a fee-based service for printer retirement in which they will physically remove the hard disk and present it to the client.
Print-only devices, such as my own Xerox Phaser 6180DN, usually dont have any hard disk in them, and this simplifies things somewhat. This may be one reason Cusick says customers want MFPs delivered locked down, and allow the admin to turn functions on as needed. But for simpler printers the customers want functions on by default.
Printers are simpler devices and managers are fairly trusting of them and dont want to have to open up ports. Printers also typically dont have passwords (other than for administration) or important authentication issues other than global on/off access.
MFPs, on the other hand, are filled with important security issues. Xerox does things like run the fax on a separate card on a separate CPU that only interfaces with the rest of the device through standard ITU T.30 protocols. The fax never writes to the hard drive (yes, this limits the storage for faxes, faxes must be stored in RAM).
As with most security issues, the best protection you have is being informed and on top of your own equipment. HP has a good Secure Imaging and Printing Web site with information thats applicable not only to their own products.
Because printers and MFPs dont have a widely appreciated reputation for security issues, they dont often get treated properly. There should be some input from those with security responsibility in printer purchase and management decisions. Even in smaller organizations, administration needs to be aware of the potential. HP told me a story of a K-12 school in which children learned how to use PJL commands to send (ahem!) rude messages to the console.
So it seems to me that everyone is still learning about these issues, but Im pretty upbeat. If IT cares enough about printer security to pay attention to it, the printers will be hard to attack, harder certainly than something else in the enterprise, and that might be enough for them to be left alone.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer