Well thanks to WikiLeaks this week we now know those paranoid folks who wear the tinfoil hats and think their appliances are spying on them are largely right. I think it gets especially scary when the paranoid people actually turn out to be the rational ones. Most of this stuff wasn’t even just in our homes either as the tools leaked—and supposedly this is only 1 percent of what is coming (something folks don’t seem to be remembering at the moment)—pretty much cover the expanse of IoT.
One of the areas of exposure in companies though is printers which have proven to be particularly dangerous largely because we haven’t been updating them much. We don’t consider them a security threat, and, as a result they are either not secured or use trivial passwords and IDs. Given that the only true enterprise company still in printers is HP Inc., it shouldn’t be a surprise that they have a fix for that and we should take it far more seriously than we do.
Let’s chat about that this week.
The Printer Exposure
The issue with printers is twofold. First, we have not been looking at them as a strategic internal product for some time even though they are still heavily used when folks want to read or review detailed reports—many of which are still classified. Second, they both contain this confidential information in local storage and they often have both wired and wireless connections—making them visible to the outside world and potentially able to bridge our firewalls. At the very least they can be spoofed to give up their secure network access if they aren’t properly secured or have their redundant wireless connections disabled.
While the easiest fix would be to pull them out, the fact is they’ve proven to be incredibly useful so that really isn’t an option for many and that suggests they again be treated like a real connected device until such time as they can be eliminated. Pretending they aren’t there when they are is clearly not working. Apparently this exposure was massively highlighted back in 2013 when we became aware that Google had indexed a massive number of poorly secured HP printers all over the world. Late last year this printer exposure was again highlighted by a number of publications.
Turning Lemons into Lemonade
One of the guys I used to work for used this saying regularly. Basically, it means turning a problem into an opportunity and that is what HP did after being pounded on about the problem. HP created their <href=”#ZsbadWvUHMju2Tme.97″>Secured Managed Printer Services to address this problem. Their idea, and it is a good one, is to again wrap these printers with a remote management tool that will assure they are secured adequately, that no external hostile actor can use them as a bridge through a firewall, that their internal storage is safe, and that they never become part of the IoT disaster that WikiLeaks has so recently reported. This ties into a Secure Enterprise Asset Management (SEAM) solution to make sure the printers are treated like full members of the security solution and not a ticking time bomb of increasingly obsolete or unsecure technologies waiting to be exploited.
So, rather than sitting back and having an “oh crap” moment, HP stepped up and created a series of tools that could at least mitigate the exposure—and in most cases fully eliminate it—simply by embracing the printers rather than pretending they have somehow magically vanished while still being in service.
Wrapping Up: You Can’t Ignore These Threats
The big takeaway from this is you can’t ignore these threats. We have state-level actors now deeply in this game and that means we absolutely have to secure every connected piece of technology we have. That also means updating the hardware and software, or replacing what we can’t secure—and wrapping as much as possible with automated and centralized management tools because no one is giving us more people. Or, put more bluntly, you have a printer security problem, you should likely look to the market leader for printers to help you fix it before it moves from being theoretical to actual and you have to do one of those incredibly expensive disclosures. Just saying…