Printer Security Testing Lab Holds Vendors to Account

You’ve locked down your PCs, managed your mobile devices and secured your servers – but what about your printers? These paper-spewing devices are often last on a company’s list of things to secure, if they make it at all. Yet they’re also a great attack vector for hackers. Not only do they house lots of sensitive information sent by employees as print jobs, but they’re also useful ingress points for those wanting to establish a foothold in your organization – especially now that lots of them connect directly to the cloud for remote printing.

Keypoint Intelligence hopes to help vendors tame that problem with its new Security Validation Testing Program. The company, which specializes in printer hardware testing and research, launched its Buyers Lab to standardize security testing for printers. It offers a set of standard benchmarks that will help companies assess how well their devices stand up against hacking, how compliant they are with security policies, and how resilient their firmware is. Buyers Lab will test the devices in conjunction with accredited security testing firms, it said.

The hacking test subjects the devices to automated tools and manual techniques, while the firmware resilience evaluation measures the device's built-in code against the National Institute of Standards and Technology (NIST) guidelines for the security of connected devices. Devices should be able to detect and attack and recover themselves under those criteria.

Finally, the policy compliance test uses the printer vendor's own management tools to specify and save security settings across a fleet of devices. It checks how close they stay to compliance guidelines and how easily an admin can tweak them back into line if they suffer from 'compliance drift'.

Companies need this kind of test. Previous ad hoc research, conducted without vendors' help, has surfaced worrying vulnerabilities in printers. Last year, researchers at NCC Group found a variety of flaws in six printer brands. Brother, Kyocera, Lexmark, Ricoh, Xerox, and HP all came up short in tests, the company said. Bugs included buffer overflows (which can lead to remote code execution), cross-site scripting vulnerabilities in administrative interfaces, susceptibility to brute force attacks, and denial of service flaws.

Of the companies in that study, only three – HP, Fuji Xerox, and Ricoh – have joined the Buyers Lab program and earned the Device Penetration Testing seal. That means the’'ve passed the hacking test, but not the others. In a world where printer users have few options, any progress is positive.

What’s Hot on Infosecurity Magazine?