Is Your MFP an Easy Target for Hacking?
by Chris Bilello, Vice President, Solutions and Vertical Market Business Development, Konica Minolta
Picture this. You’re an office manager, and you’re starting to see employees back in the office. It’s great! There’s energy all around, a low hum of chatter and the occasional beep from the printer in the corner – nothing to worry about. Well, time to take those rose-tinted glasses off.
Printers, as well as Multi-Function Peripherals (MFP), are an underestimated source for data breaches. Sure, when you think about a ‘hack attack,’ traditionally your mind would go to PCs, web applications, file servers, data centers, etc., because that’s where you can get access to file systems, credentials and crucial private information. A successful MFP breach can result in a hacker accessing all of the above. Your everyday office printer comes loaded with the ability to integrate with the corporate network to allow for scan to email and copy-and-scan accessibility. Most worryingly, breaches can happen without anyone knowing they have occurred. And a lack of MFP security and maintenance makes breaches even easier to execute.
Why is an MFP an easy target for hacking?
With the understanding that in today’s corporate environment, communications and connectivity are indispensable, MFPs are designed to integrate into network environments. This scenario also means this office technology must cope with and comply with the same security risks and policies as any other network device, and represents a risk if unprotected. Yet despite security being high on the strategic agenda for most businesses, MFPs are often ignored as being a risk at all.
While some IT managers may be aware of the risk, they are often sidelined ahead of more pressing issues. This is especially risky for those MFPs and printers located in public areas, where they can be accessed by staff, contractors and even visitors. This leads to two main reasons these printers, which are such an integral part of our workplace activities, are vulnerable to attacks. First, many MFPs still use the default administrative login credentials with which they came. And secondly, they have been configured to use privileged accounts (like Domain Administrator) for transmitting scanned documents to network locations.
Pairing these challenges together creates an entryway for a hacker to gain access to an administrative network password, not even via a password cracking tool but simply via a small modification to the HTML code within a web browser. (Infosec, Exploiting Corporate Printers, September 2015). Further, with the advanced features available on today’s MFPs designed to make it easy for information to be copied and distributed, once a hacker is in, getting the information they need is a quick and simple job.
Mitigating these risks is crucial
These risks are nothing new, and if not properly designed and secured, an organization’s endpoint devices can be an unlocked ‘back door’ serving as a pathway between the internet and corporate networks. In fact, in 2019, Microsoft Threat Intelligence Center researchers discovered evidence of Russian hackers communicating to several external devices, and specific attempts by the hackers to compromise IoT devices, including an MFP, to breach networks. Upon gaining access, the hackers were able to infiltrate other unsecure devices and move across the network to gather higher value data (Forbes, Microsoft Warns Russian Hackers Can Breach Secure Networks Through Simple IoT Devices, August, 2019). The first logical step then is to prevent unauthorized persons from being able to operate an MFP. Preventive measures are needed, first to control access to MFPs, and second to establish some kind of security policy reflecting how the devices are actually used in real life. Here are some ways you can make sure you are protecting your business:
Always change the default device password to something complex, and do not reuse it elsewhere.
Understand the security capabilities that systems offer and utilize them to their fullest potential. For example, if your MFP device supports LDAP over SSL, use it. If your device supports TLSv1.2, use it. And if your device supports SNMPv3, use it.
Encrypt the MFP storage device.
Be extremely careful with privileged accounts. Domain Administrator-level accounts should never be used on MFPs, workstations or other lower-privileged systems that have a higher likelihood of being compromised.
Use an independently tested machine such as one from Konica Minolta’s bizhub i-Series.
Safeguarding the confidentiality of electronic documents
In response to seeing more and more of these threats in the industry, Konica Minolta has taken a leading role in developing and implementing security-based information technology in our MFPs. The Konica Minolta security standards provide protection in more than one respect, securing the network and network access, ensuring secure, authorized access to individual output devices, restricting functionalities where required, and protecting all personal user data and information content processed on the bizhub output systems.
Recently, we have taken this safeguarding even further. During more than 80 hours of penetration tests performed on the bizhub i-Series MFP devices by NTT DATA, an internationally respected IT services provider, and the Security division of NTT Ltd, no vulnerabilities were found. This has been extremely important to us to make sure our protections are robust enough to withstand outside attacks, as for many customers, especially in government, healthcare and finance, even 99.9% isn’t secure enough.
Bearing this in mind, in addition to meeting the latest industry standard Common Criteria for IT security, ISO/IEC 15408, we further validate our printers through the bizhub SECURE service. Prior to sending a device to a client’s network, bizhub SECURE configures the device with additional encryption and security settings. Together, the Common Criteria validation and the bizhub SECURE service enable us to assure customers that all our bizhub devices are highly secured, meaning no, your MFP doesn’t have to be an easy target for hacking.