If you think being nestled in your high-rise office many stories above the madding crowd will keep your wireless printers and confidential documents safe, you may need to rethink your skyscraper-centric security strategy.
In October, researchers in Singapore showed how hackers armed with a cell phone and a garden-variety drone — the kind every kid is hoping to get this Christmas — can steal documents from Wi-Fi printers located 30 floors above the street.
Time for channel partners to raise their game
The demonstration puts an exclamation point on something we’ve been saying for months: In this era of heightened security concerns and increasing regulatory compliance issues, print-specialist partners need to raise their game to protect their clients’ systems, data, and sensitive documents.
Maybe the most frightening thing about the drone hack of the wireless printers is that it isn’t terribly complicated or difficult to pull off. The researchers from iTrust, a research center at the Singapore University of Technology and Design, used a custom app on a Samsung smartphone to scan for open Wi-Fi printers, identify devices and owners by SSID, and establish a bogus access point that mimics the printer and tricks computers on the network into submitting documents to it.
Any computer inside the attack zone will opt to connect to the fake printer over the real one, the researchers claim. The intercepted document gets shipped to the attacker’s Dropbox account via the smartphone connection. Adding insult to injury, the document is then sent to the office’s real printer so the victim gets their hard copy and can’t tell they’ve been hacked.
Because the smartphone needs to be in Wi-Fi range to make the hack work, researchers simply attached the mobile device to a drone and flew it up alongside the building until it found sufficient signal to connect. The effective range of the hack is about 30 meters.
Watch how the attack worksARVE Error: need id and provider
“In Singapore … there are many skyscrapers, and it would be very difficult to get to the 30th floor with your notebook [if there is no] physical access,” Yuval Elovici, head of iTrust, told Wired magazine. “A drone can do it easily. This is the main point of the research, closing the physical gap with [a] drone in order to launch the attack or scan easily all the organization [for vulnerable devices].”
Watching the print job disappear into the cloud — and into the hands of the attackers — as a result of the Singapore drone attack is sobering, for sure. By way of reminder, here are five print security features and protocols partners need to be using to protect their customers across their entire print ecosystem:
Five print security features that can protect your clients’ entire print ecosystem
At their simplest, Multifunction Printer (MFP) access controls include provisions that require users to input a PIN to initiate a print job, and then re-enter it at the device to take physical custody of the output. Other capabilities partners should consider include role-based access controls for administrators to assign permissions to work groups based on function and need; and Microsoft Active Directory integration so an organization’s larger accounts database can be layered.
Network Security Features
Managed print services providers should restrict addresses to certain devices based on IP address, creating a basic defense against most outside attackers. Basic network authentication such as the 802.1x standard is also needed before network traffic is allowed to travel to or from an MFP to keep rogue devices off the network.
While it may seem extreme, diligent provisioning of print infrastructure, particularly in sensitive or highly regulated industries, should include the ability to encrypt all of the data traveling to and from MFPs, as well as the data at rest within those devices. Look for support for Internet Protocol Security (IPSec) and Secure Socket Layer/Transport Layer Security for encrypting customers’ scans, prints, copies, and data accessed via the Web.
Image Overwriting and Hard-Disk Management
Because the onboard hard drives in many MFPs store reams of sensitive data, managing the risk and vulnerability associated with them should be high on the lists of prudent print partners. Look for devices that offer at least three-pass image overwriting either standard or as an optional add-on to keep sensitive information from prying eyes. Also, be sure the hard drive is in a separate, locked enclosure within the MFP to thwart theft, and look for hard-drive removal kits to keep the storage media secure during equipment repairs and decommissioning.
One sneaky way hackers gain access to corporate networks is by taking advantage of the backdoor created when fax telephone line connections are integrated with network connectivity. While it may seem old-school, this hack works around traditional firewall protections and presents a serious vulnerability. Partners should look for MFPs that certifiably provide complete separation of fax lines and network connections.
In this age, when 30 million printers and MFPs are deployed, and many are connected to the network, it’s time to take the security of these devices seriously. And now that we know the attacks can come from anywhere, even thin air, print-services partners need to ensure that they’re ready for anything.
Subscribe to the Channel Partner Connection and receive email updates when we publish a new article.