Subscribe: Comments on: Hacking Devices – Ensuring your printer is secure
http://www.gfi.com/blog/hacking-devices-ensuring-printer-secure/feed/
Added By: Feedage Forager Feedage Grade C rated
Language: English
Tags:
agree  buy enterprise  buy  buys printer  don  enterprise  hardware offers  might  permissions  printer  printers  security  user  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Comments on: Hacking Devices – Ensuring your printer is secure

Comments on: Hacking Devices – Ensuring your printer is secure



Brought to you by GFI Software



Last Build Date: Fri, 30 Mar 2018 09:08:43 +0000

 



By: Emmanuel Carabott

Thu, 26 Nov 2009 10:04:19 +0000

Of course you are right in that an end user will not buy an enterprise printer. However nowadays they don't need too. For $100 - $200 you can buy not only network printers but also WIFI enabled printers. If a non-technical person buys a printer, he will do so according to his requirements. If he intends to hook it up at work it's likely that he will not be able to use USB due to restrictions; or he just believes that it should be network simply because all other company printers work that way. In the future it's very possible that it might get even worse in that a feature included on one printer will be included on other printers by manufacturers so as to appear on par or better than their competition; therefore WIFI is sure to spread among printers. Obviously it is a lot less likely that an employee buys a printer of his own accord and just hooks it up at work. However it does happen. One instance is all it takes. It is also unlikely that a cheap printer will have a functionality such as storing copies locally of printed documents, but you don't know what vulnerabilities it might have. Some time ago I did come across a vulnerability in a printer driver that allowed remote access to any file on the machine on which it was installed. Don't get me wrong, I know all this basically borders on paranoia... well actually it's more like right in the middle of it; unfortunately in security that's exactly where you need to be. One weak link is all it takes for all your hard work to crumble. Finally I perfectly agree with your suggestions. Permissions can definitely help to mitigate this risk and a security procedure on device management can ensure that proper security consideration are considered when installing devices. I would also add monitoring to your list just to be on the safe side. As for upnp and bluetooth you're spot on there as well. Might be a good topic to discuss in a future article. Thanks :)



By: Leandro Amore

Fri, 20 Nov 2009 20:58:36 +0000

Nice post, but although I agree with you in the dangers of unsecure devices, I really don't think that every person is in danger. I don't know the consumer habits in your country, but in Argentina it's not common to buy enterprise printers for personal use so I don't really see the problem for that kind of users. Regarding the enterprise there are two points to be taken into consideration: 1. The minimum permissions to install a local printer are Local Admin or power user (with the load/unload driver permissions). So, if a company grants those permissions to any user there are bigger problems to be taken care first. 2. I agree with you that even if installed by IT Professionals, in most cases printers are not taken into considerations from a security point of view. So it's really important for the security department to write a secure procedure for printer installation and attack surface reduction. We don't always need all the services that these hardware offers. Every device, not only printers, should be tested and analyzed by a competent IT Pro before installing it in our networks. Nowadays, most hardware offers lots of new and really comfortable services, but these comfort usually relaxes security.(For example Upnp or bluethooth.)