Auditing Security Controls of Printers, Scanners, and Multifunction Devices

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 8 months ago)

109 views

Auditing Security Controls of Printers, Scanners,

and Multifunction Devices

2010 NSAA IT Workshop and Conference

Brian
Rue

Chris
Gohlke

Go
Noles
!

Go
Gators!


Presentation Agenda


1
st

Half


MFD Functions/Services & Security Weaknesses



2
nd

Half


Preparing a MFD Audit Program

2

In the Beginning…

Chester Carlson with the first
xerographic apparatus

30’s

Not much to audit

3

Manual process


Thermal Paper Transfer

Still not much to audit…..

4

Xerox 914 was the
first plain paper
photocopier using the process of
Electro
-
photography

No USB/No Tape
Drive/No Hard
drive/It did come
with a fire
extinguisher due
to heat &
ignition issues

5

The
image above shows the channel
-
attached version of the 9700, as the tape tower
isn't present.
Under
the LS100 terminal, Xerox had placed a modified DEC PDP
-
11/34. An extra cage contained a few proprietary cards to facilitate the page ripping.
There was a Control Data 14" hard drive (the removable platter type) on sliders.

CPU/ Memory


Tape Drive
added..

6


Printer/Copier/Scanner/FAX


Wired Network Connectivity


Wireless Networking Wi
-
Fi/Bluetooth


Removable Memory


Hard Drives


Operating System


Web Server


User Accounts


Remote Access


Landline Connection


Scan to Network Share or PC


E
-
mail Integration


Web Submission of Print
Jobs


Web Browser


7

The CBS News Story
On YouTube

8

http://
www.youtube.com/watch?v=iC38D5am7go&feature=fvw


Understanding the MFD

9

MFD>A Server with a Glass Top

MFD Hardware Components


1. Central Processing Unit (CPU)


2. Memory (ROM/RAM/FLASH)


3. Hard Drive


4. Network Card


5. ABGN Wireless Radio


6. Bluetooth Radio


7. USB Connection


8. Analog Modem


9.Multicard Memory Reader


10. LCD/LED Screen


10

MFD Breakdown

11

MFD Software


Operating System
-
GNU/
Linux
, VxWorksS,
Windows NT
4.0 Embedded
, Windows
XP Embedded
, Mac OS
X,
Sun
Solaris, or Vendor Proprietary OS



Print Engine/Controllers


May be supported by
secondary OS



Database

(PostGreSQL
+)



Drive

File System (NTFS/FAT)



Additional Applications
(Document Management
-
Optical Character
Recognition or PDF conversion, Software Development Kits


Sharp OSA,
Xerox EIP, HP Open Extensibility Platform, Web Server)


12

MFD Software Security Issues


Security patches not applied to
operating system
and services with discovered vulnerabilities


Lack of
vendor support

for security
patches



Software or Operating system vulnerabilities may be used to elevate
privileges



Lack of
change management procedures




Memory storage (hard drive, ROM/RAM, flash
drive) unencrypted by default


Hard drive stores spooled and processed jobs in clear text


MFD RAM memory stores documents in clear text during and after
processing by default


Flash drives usually contain unencrypted jobs


13

MFD Services


Apache Web Server



Remote
Access
(Telnet,FTP,HTTP,SNMP
)



Bytecode interpreters or virtual
machines
for internally hosted third
party
applications



Network
service clients
for sending of
documents to different
destinations



Network
service servers

for receiving
documents for print or
storage



Image processing services

14

MFD Services Security Issues


Unneeded
services
left on increasing the
number of potential attack points into the
MFD



Services with security
vulnerabilities
not
patched



No/limited logging of
service activity


15

MFD Network Communications


Common Open Ports/Protocols


HTTP 80/TCP


SNMP 161/UDP


LPD Printing 515/TCP


PDL Printing 9100/TCP


Protocols


AppleTalk


Internet Printing Protocol


PCL


HPPCL Printing
Protocol


Telnet


IPX/SPF


FTP


TCP/IP


16

MFD Network Communication
Security Issues


No firewall rule set for ingress (traffic into the
MFD) or egress (traffic out of the MFD) filtering



MFD does not support entity PKI strategy
(no
support for CA certificates)



Print/fax/scan
jobs transmitted over
network/Internet in clear
text



Unneeded
protocols and ports
left
open


17

MFD Wireless Access


Wi
-
Fi


WEP


WPA


WPA
-
PSK


WPA
-
Enterprise


WPA2


WPA2
-
PKS


WPA2
-
Enterprise


No Encryption


Bluetooth


Prior to Bluetooth v2.1, encryption is not required and
can be turned off at any time.


18

MFD Wireless Security Issues


Unencrypted wireless
connections
transmitting documents in clear text
(intercepting documents in the air)








Potential remote attack access point into the
MFD

19

Fax Services


Fax to memory (disk/disk share)


Hardcopy fax printouts


PSTN


analog phone modem
connection

20

MFD Fax Services Security Issues


Faxes

auto print
in
an unsecured area



No
authorization required to verify recipient before
releasing
fax



Faxes held in unencrypted memory after
print



Lack
of logical separation of analog modem
from LAN
(Ability to enter LAN from modem
connection)



21

Drive Shares


Network Drive Shares


Printer Drive Shares


PC/MAC Shares



Printer Hard Drive Shares

22

MFD Shares Security Issues




No auditee procedures for configuring drive
shares



Undocumented
drive
shares



Shares
setup without encryption


23

MFD
Management

1.
Device Console

2.
Web Interface

3.
Network
client/server
enterprise
management
application

24

MFD Management Security Issues


Physical Consoles on MFDs Setup Without
Pass
Codes


Default Web Interface may not require
password


Most devices not configured with
user or group
accounts to authenticate and authorize


Limited
to no logging of user activity (console
logons, patching, administrative functions)




25

MFD Rep
air Procedures

26

Physical Security




1.
Conduct Risk Assessment to
determine if use of MFD and physical
location of device provides adequate
physical security controls.



2. Processing confidential or
sensitive data on a device in a common area
creates multiple security issues.

27

Surplus Device Procedures


1. Clean Printer
Configuration Files


2. Wipe Drives/Memory


3. Ensure no Sensitive
Paper Copies on Glass or
in Machine (legacy
paper jams)

28

MFD Certifications/Acts/Contractual Obligations


National Security Telecommunications and
Information Systems Security Policy (NSTISSP)
#11


DOD Directive 8500.1


Common Criteria (EAL1 to EAL4)


Gramm

Leach

Bliley
Act (
GLB
)


Health Insurance Portability and Accountability
(HIPAA)


Payment Card Industry


Data Security Standard


29

Potential Components of an MFD
Audit Program


Network/Server


Shares


Wireless


Access Controls


Physical Security


Encryption


Surplus


Contracts/Leasing


Policies and Procedures

30

A Majority of Which Fall Into Your
Normal IT Audit Program

MFD
Audit
Program

IT Audit
Program

31

Since you probably won’t get a ton of
audit hours for MFD’s……

32

Obtain an Understanding and
Assess the Risk


Get an inventory listing


Inquire


Observe



Get manuals


Search online for common vulnerabilities

33

Physical Security


Does the unit have a locking compartment for
the hard drive, etc?


Is there a physical reset button that will
restore the unit to factory default? Is it
secured?


Is the entire unit secured in place, or could it
be wheeled out of the building?


Is output secured?

34

Device Controls


Strong password controls at the console?


Settings/administration locked down to authorized
individuals?


Is the web interface turned on? Does it need to be?


Are unneeded network services turned on?


Is wireless on? Does it need to be? Is it secure?


Logs kept/reviewed of administration functions?


Are the logs secured?


Are there security patches for the device and if so are
they checking for them and applying them in a timely
manner?

35

Data Controls


Does the device have an option for
encrypting/automatically wiping copies after a
job prints?


Did they pay for it?


Is it turned on?


If not, why? Do they have a compensating
control?

36

Surplus


Did they lease or purchase?


If leased, what rights do they have to wipe the
drive? Is it user accessible? Are you going to
be able to audit it?


If purchased, do MFDs fall under their normal
PC surplus policies for having devices wiped?


What about when the device is serviced or
parts replaced?

37

Policies and Procedures


As always, the above should be covered by a
policy and procedure.

38

Multifunction Device Resources

39

http://h20338.www2.hp.com/enterprise/downloads/NIST%20SUBMITTED%20Configuring%20Security%20for%20Multiple%20LaserJet,%20Color
%20
LaserJet,%
20and%20Edgeline%20MFPs.pdf

40

http://
www1.lexmark.com/documents/en_us/1_SecurityBrochure.pdf

41

http://
www.office.xerox.com/latest/SECBR
-
03UA.PDF

http://
www.aot
-
xerox.com/fi l es/content/MFPsecuri ty.pdf

42

Questions?

43