Snazzy printer features could open Pandora's box

Hard drives on networked printers and MFPs could be storing sensitive data

If printers are underestimated as a source of potential savings, they are also often underestimated as a potential avenue of security violations.

There is, of course, the potential that a sensitive document might be printed and inadvertently left in the printer output tray for all to see.


Related article:

Printer security: The invisible problem in plain sight


But when the printer is networked, risks grow considerably. For example, many organizations require user authentication at a printer before a job will print to ensure that the appropriate person is there when the document is printed.

However, many organizations overlook the fact that networked printers and multifunctional devices have evolved into full-fledged computing devices that contain hard drives that can store sensitive data. In addition, unguarded ports on printers and multifunctional printers can serve as vulnerable access points to other network resources.

“There is a lot of capability in these devices that sometimes customers just aren’t aware is there,” said Larry Kovnat, product security manager at Xerox. “We have some guidelines for how to configure devices, such as turning on [disk] overwrite, making sure to use encryption and checking the audit log periodically. The other thing I would say is to make sure the devices are patched.”

Kovnat said he is not aware of any significant attacks that originated through a networked printer. “It’s more of a potential avenue of attack than a real one,” he said. But he adds that securing printers requires more than due diligence. He said printers and MFPs have real vulnerabilities and, “it’s true that in terms of awareness of IT departments, printers and multifunction devices are under the radar.”

Managed print services can add greatly to securing that particular avenue of attack. “Anything that adds to centralized management does help the security problem,” he said, “because you have better control over configuration, you have better control over change management, you have better control over deployment.”

About the Author

Patrick Marshall is a freelance technology writer for GCN.

Reader Comments

Thu, Jun 3, 2010 No. VA

This is hardly a new problem and was recognized by DOD back in 2001 and before that by Perdue University. Amazing that few have managed to keep track of it until now. Perdue University did a student study of the risks of early Xerox multifunction devices and published a paper on the subject. Later, Xerox and other companies submitted their devices to testing under the government's Common Critiea NAIP (http://www.niap-ccevs.org/). Based on the governement (and others) being leery of using multi-functional devices, some devices were redesigned and features such as easily removed hard drives and software to erase (scramble) hard drive data resulted. Our organization worked with our contracts folks to ensure that the security of devices was written into the contracts for copying/printing equipment leasing. Bottom line is that everyone in an organization must work together to protect data.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above