Published on August 13th, 2019 📆 | 3736 Views ⚑0
One way hackers breach a network: Out-of-date office printers
- Printing systems from six leading manufacturers have vulnerabilities that, if left unpatched, could allow third parties to remotely access corporate networks, shut down the machines or even forward copies of documents to unauthorized actors, according to research from British cybersecurity advisory NCC Group.
- Printing systems had cross-site scripting vulnerabilities or lacked sufficient cross-site request forgery (CSRF) countermeasures, which researchers say could let hackers access local networks.
- HP, Ricoh, Xerox, Lexmark, Kyocera and Brother — makers of the printing systems studied by NCC Group — have since added updates to correct the vulnerabilities. Researchers advise systems administrators to ensure vulnerable printers are using the most up-to-date versions of their firmware.
The evolution of the office printer — from a document churner to a connected device that can fax, email and scan — means malicious actors have one more target to snipe at in the enterprise network ecosystem.
Because printers have been around for so long, their cyber risk as an enterprise IoT device is often underestimated, said Matt Lewis, research director at NCC Group, in a statement to CIO Dive.
“Building security into the development lifecycle would mitigate most, if not all, of these vulnerabilities,” said Lewis. “It’s very important that manufacturers continue to invest in security for all devices, just as corporate IT teams should guard against IoT-related vulnerabilities with even small change: changing default settings, enforcing secure configuration guides and regularly updating firmware.”
Cross-site scripting vulnerabilities top the list of weaknesses found by bug bounty hunters, according to Bugcrowd’s 2019 State of Security report and a ranking from HackerOne.
Companywide cybersecurity strategies that involve comprehensive prevention and response measures are key to spotting and shoring up weak points like these in a corporate setting, said Lewis.
Cyberattacks cost the average U.S. company $13 million in 2018, a sticker price that prompted CEOs to name cybersecurity their biggest external concern in 2019.
Liabilities for lax cybersecurity measures also include fines triggered by the exposure of user’s personal data, in the context of expanding legislation on data privacy.
In July, the United Kingdom’s Information Commissioner’s Office (ICO) fined British Airways a record $230 million (£183.39 million) in the aftermath of the airline’s 2018 data breach. Google, Facebook and Equifax have each faced sizeable fines from U.S. and European regulators in connection to unauthorized user data access.