So an attacker hacks into your printer. That’s no big deal, right? Printers don’t have much in the way of memory, so how much data can really be at risk if someone hacks into one?
Dallas attorney Shawn E. Tuma, one of the nation’s leading legal experts on the Computer Fraud and Abuse Act (CFAA), says that attacks against embedded systems like printers can expose companies to much larger security risks, including a costly CFAA breach that requires public disclosure and a risk of regulatory penalties.
“The ‘Internet of things’ – printers, webcams, radios, and even household appliances like refrigerators and HVAC systems – do their work quietly and out of sight. But out of sight shouldn’t translate to out of mind,” Tuma says. He told a group of internal auditors attending the IIA Summit earlier this year that embedded systems pose potential security risks to networks large and small.
Tuma says that there are five primary reasons that printers and other network-aware machines present particular security risks.
- The software built into the device is often simpler and less sophisticated than the more secure software used in more powerful machines.
- Patches aren’t released as often for specialized devices, especially those in a niche market, and users aren’t as likely to install the patches when they are available.
- Bugs and security issues aren’t detected and reported as quickly for specialized devices as they are for tablets, smartphones, and computers.
- Devices without screens, and those that operate in the background, are often set up with little thought to security, and may not be included in a network’s security monitoring.
- Little or no activity logging can make it harder to detect malicious activity before or right after it happens, and limited memory and storage makes activity logging more difficult.
“When was the last time you heard of a fraud case that wasn’t related to a computer?” Tuma adds. “Computers are far more efficient than the con artists and thieves ever were before our always-connected society, and computer fraud is really just a new way to commit old crimes.
“Computer hacking, data theft, theft of money, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware and denial of service attacks all boil down to one thing: deception through the use of a computer. And these days, a computer is almost anything with a microchip in it that is connected to a network.”
What’s a Computer?
When the average employee thinks of a computer, they may not include smartphones, MP3 players, or printers – but in a case called United States v. Kramer, the Fourth Circuit Court of Appeals said that devices protected under the CFAA can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, printers and DVD players.
The case that has come to define the word “computer” as it relates to the CFAA wasn’t about hacking or data breaches. It was a criminal case in which a man pled guilty to taking a minor across state lines in order to have sex with her. The defendant, Neil Kramer, admitted using his cell phone to make voice calls and send text messages to the victim for a six month period before the crime.
The district court, over Kramer’s objection, concluded that the phone was a computer, and gave him a longer sentence based on his use of a computer to commit his crime. In upholding the longer sentence, the appeals court defined the word “computer” to mean any connected device that stores or transmits data.
The statutory language of the CFAA says that fraud has occurred with someone accesses a protected device without permission, or exceeds their authority to access information where the person accessing the device:
- Obtains information
- Commits a fraud
- Obtains something of value
- Transmits damaging information
- Causes damage
- Traffics in passwords or
- Commits extortion
The CFAA says that a computer has a processor or stores data. Specifically, the law says that the term computer means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device…” The law specifically excludes only a few types of devices, including “an automated typewriter or typesetter, a portable hand-held calculator or other similar device.”
The CFAA applies only to “protected” computers, which has limited the problem of applying it to alarm clocks, toasters, and coffee makers, since the courts have defined a “protected” device as one that is connected to the Internet.
Can Your Printer Really Expose Your Data?
According to Jared Hansen, CEO of secure mobile printing leader Breezy, the answer is clear: yes. “The potential for printers to become the focus of a data breach was clearly demonstrated back in 2012 when an anonymous security researcher deployed software to infect over 400,000 embedded devices, creating a botnet called Carna,” Hansen says. “Carna wasn’t malicious. It collected information from connected printers and other devices to create a census of connected devices. Ignoring the ethics of the project, Carna demonstrated once and for all how vulnerable printers, webcams and other devices can be.”
Another security researcher, HD Moore at Rapid7, published a report last year about finding more than 100,000 open serial ports accessible online. Serial access can provide attackers with live, unauthenticated access to a server when an authorized user has already opened a shell on the device. Hansen says that the serial ports – like the vulnerable printers – could have been protected, but simply were not.
“I talked to someone once about the risks in unsecured printer networks, and he thought I was joking. ‘What’s a hacker going to do if he accesses my printer? Waste a lot of paper and ink cartridges?’
“Yes, a hacker could interrupt your workday with that kind of denial of service attack. But he could also mount a man-in-the-middle attack where the contents of the files being sent to your printer are forwarded outside your network. What kinds of information gets printed in your office? Financial information, credit applications, applications for insurance, product plans, details about your customers and employees? When you look at the bigger picture, suddenly protecting those printers seems a lot more important,” Hansen adds.
“CIOs know that they can’t stop employees from printing from their mobile devices, and that many employee-owned devices are unsecured. On-device encryption is the best way to secure data before it enters the cloud or is transmitted to a printer. When you combine on-device encryption with an easy-to-use and manage secure mobile printing solution, you solve multiple problems.”
For more information on how unsecured printers and other devices can put your data at risk and your company at risk of a CFAA breach, watch this video from Breezy, or download The Definitive Guide to Mobile Printing, a free ebook from Breezy.