Web-connected copiers, printers, and fax machines can provide malicious hackers with unfettered access to a trove of data
As an IT admin, you likely spend much time contemplating the security of end-user machines and back-end systems -- yet how often do you consider the security risks posed by copy machines and other smart office devices in your office? As noted in recent reports, documents stored on these machines' internal hard drives can create security risks.
The problem is, today's office-class multifunction printers, fax machines, and copiers often have very capable computers in them, including memory, hard drives, network interfaces, and software. If you can access your printer/fax/copier using a Web browser, then it is running a Web server (often Apache or some other open source variant).
[ Security vendor McAfee predicted Adobe's Flash and Acrobat Reader will be the preferred targets for hackers in 2010. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
How often do you patch your office copiers? Is it even possible, or is all the software in firmware? Apache Web Server 2.2 has had 31 vulnerabilities over the last few years. Most are remotely exploitable. It's possible for a hacker with network access to your office equipment to exploit and gain control of it. There they can read and copy documents and data, learn email addresses, and gather network logon names, PINs, and passwords.
Beyond just copying sensitive documents, hackers can actually use the computer on printers as their base of operations. There are no security patches or antivirus software to get in the way. As long as the equipment is running a well-known operating system (as is often the case), the hacker can install the normal tools and attack other computers on the network.
A smart enterprise hacker would make sure that every printed, faxed, and copied document was sent to his or her location in duplicate. A savvy hacker could easily learn the names of the company's top executives and their assistants, and copy only documents associated with those individuals. It would be corporate espionage at its pinnacle.
It's likely that at least some of your office equipment contains confidential, high-business impact (HBI) data, and I'm sure regulations set by your company, as well as outlined by the industry, require that you protect and often encrypt that data. I shudder to think of how corporate or outside auditors react were they to know how much unprotected HBI data is stored on unmanaged and unpatched office equipment.