And so world-changing has its effect been, that according to a Forbes report, by 2025 there will be more than 80 billion active smart devices connected to the internet worldwide.
But as with most things, the increased interconnectivity has come with its own drawbacks. With the rush to go-to-market, IoT manufacturers often forget, dismiss and ignore a tiny but crucial element to it all: security.
So notoriously bad is the IoT security issue that there exists a search engine, specifically for IoT devices that are inadvertently open to the world. Tap in a few words and Shodan.io can show you the blueprint for industrial machinery, live feeds off baby monitors as well as documents being processed by publically available devices and printers.
So how threatened is the print industry by the security black holes on IoT devices? Is a catastrophic breach inevitable? The answers are a mixed bag.
As industry insiders opine, when you think about cyber attacks, printing may not be the first thing that comes to mind. However, today’s printers and multi-functional products (MFPs) are intelligent networked assets with known vulnerabilities that if exploited can allow attackers to breach a business’s network.
Threat surface
Just like other IoT devices, printers are now connected to the internet as well as corporate networks creating a massively expanded threat surface and meaning that they’re open to attack if not properly protected. For opportunists they can represent a convenient cyber security back door.
The critical nature of the problem was illustrated earlier this year by a hacker who hijacked 160,000 insecure printers all over the world proving that printers need to become a part of every organisation’s cyber security strategy.
The most important point to remember here is that there is virtually no difference between a home printer and an industrial one when it comes to getting blindsided by a cyber attack. The only way they differ is in the scope of what is at stake.
As Liviu Arsene, senior e-threat analyst at Bitdefender says: “Printers come with various protocols and ports that support internet connectivity, effectively enabling users to easily plug in the device within their network and start printing either using local or remote endpoints. IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and other ports are usually left open by default in some printers, making them susceptible to remote external connections from outside the local network.
“Because they share the same network as laptops and other end-points, printers can be used as an attack vector into an organisation, or attackers can simply perform a ‘man-in-the-middle’ attack.”
There are multiple entry and exit points into a network from which data can flow and the printer is one of these. Whether the data is in the form of e-documents or traditional paper formats, it is important to know the risks and have an understanding of what data is being held in the printer.
And while the task might seem daunting, it might not be that difficult to get a handle on. Most print professionals, however, concur that one of the biggest security issues relating to printer vulnerability is the human factor. Stephen Beaven, head of IT at Opus Trust Marketing, says: “As with any systems on your infrastructure, when IoT devices are being installed you need to adhere to some basic rules.
“Firstly, ensure you abide by the principle of least privilege – so only give it access to what it actually needs in order for it to function, and open only the necessary ports on your firewall to allow external systems to talk to it. Lots of production kit now send statistics back to the manufacturer to help improve performance or to alert on potential system failures – but you need to know exactly how this information is gathered and what is being sent.
“Anything which faces the internet needs to be in a different network segment to your data and other business systems – you need to ensure that if the IoT device is compromised it can’t harm any other parts of your business.
Always update
Michael Field, founder and director of Workflo Solutions says that another worry is that most companies don’t have a strategy to prevent potentially damaging data breaches. And according to him, it is all about getting the basics right: “Make sure to keep up with software updates as a savvy hacker can exploit older versions and gain network access. Ensure printers are not visible on the public network and check with IT managers to ensure they are on the ‘private subnet’.”
And when it comes to secure printing, there is a whole different set of issues to handle. Wayne Carlisle, IT director at Checkprint, says: “We are ISO 27001 certified and have just been re-accredited by Cyber Essentials Plus.
“The IoT we use in our business is our laser printers. They are our only points of getting infiltrated and allowing communication with the outside world. The way we keep on top of things is by using dual-layer firewalls, penetration testing regularly as well as continual investment in infrastructure and personnel.
“With these devices you get man-in-the-middle type threats so we make sure to disable all means of communicating with anything that the printer doesn’t need to – no wifi, no other networks, it is on a DMZ, and we change the IP address as soon as the machinery comes through the doors. We harden all of our equipment by identifying and reducing risks. This starts from the equipment itself – we invest in best of breed to make it do what we need it to do.
“Data is not stored on our printers and is removed immediately after use. We have disabled ‘emailing the document’ directly from the printer – the person that it is being emailed to is the potential problem, not the selecting of incorrect name.
So, is the interconnectivity really useful? Has the internet of things made printers’ lives more difficult and cumbersome? Would they really prefer to go back to the days when work was all manual and all machines ‘unsmart’?
Martin Ruda, Tall Group managing director, thinks not. Ruda’s group of security printing businesses, including Checkprint, works with high-profile banks, government, corporates, and utilities. It handles data for various categories of secure document.
“IoT and internet connectivity has certainly made our life easier but to have that comfort, we have also had to make substantial investments. In the same way as a mobile phone is a camera and also a barcode reader, printers can do a lot of stuff, but that in itself is a vulnerability that we need to manage.
“At the strategic level, and on our end of it, the barrier to entry to our business of secure printing is because it is now more costly, and this has made our positioning in the marketplace more secure owing to less competition. But to maintain this position and to respond to all the accreditation and auditing that we need to keep our corporate customer, is an expensive and time-consuming effort.
“To keep ourselves at the top of our narrow niche and keep ourselves ahead of competition, we have to constantly reinvest and manage our ecosystem, and especially when it comes to data.”
10 key areas for organisations to secure
Capture Scanning and copying documents to uncontrolled destinations can breach data protection guidelines
Output tray Documents left on the output tray account for the biggest loss of data
Operating system an unprotected operating system could allow takeover of the machine
Ports and protocols Open and unused ports and protocols represent a risk that can be exploited
Management Without regular device scanning, persistent security holes could be exploited
Network Data can be intercepted across the network link
Cloud connection Connecting to offsite locations may leave you open to data breach
Device storage Content stored in devices could be accessed
The human factor Employees can leave sensitive information on their desk
Operation panel An unlocked panel can allow users to tamper with settings
Nigel Allen, marketing director, Kyocera Document Solutions
Top 3 IoT breaches
Mirai botnet The most well known of all breaches, Mirai was responsible for taking down Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and a number of other major websites. The botnet infected IoT devices and then flooded DNS provider Dyn with a DDoS attack.
Brickerbot Similar to Mirai botnet, it relied upon a DDoS attack and customers not changing default username/password of their IoT device. While Mirai rendered devices useless, Brickerbot would ‘brick’ the device, or kill it.
Chrysler car hack Security researchers demonstrated to Wired magazine how they could wirelessly hack a Jeep that was being driven by a journalist. The researchers were able to take control of the vehicle being driven, take over dashboard functions, steering, transmission and brakes. It led to Chrysler announcing a formal recall of 1.4 million vehicles.
