Skip to main content
close search
site logo
Dive Brief

One way hackers breach a network: Out-of-date office printers

Published Aug. 13, 2019
Roberto Torres's headshot
Editor

Dive Brief:

  • Printing systems from six leading manufacturers have vulnerabilities that, if left unpatched, could allow third parties to remotely access corporate networks, shut down the machines or even forward copies of documents to unauthorized actors, according to research from British cybersecurity advisory NCC Group.
  • Printing systems had cross-site scripting vulnerabilities or lacked sufficient cross-site request forgery (CSRF) countermeasures, which researchers say could let hackers access local networks.
  • HP, Ricoh, Xerox, Lexmark, Kyocera and Brother — makers of the printing systems studied by NCC Group — have since added updates to correct the vulnerabilities. Researchers advise systems administrators to ensure vulnerable printers are using the most up-to-date versions of their firmware. 

Dive Insight:

The evolution of the office printer — from a document churner to a connected device that can fax, email and scan — means malicious actors have one more target to snipe at in the enterprise network ecosystem.

Because printers have been around for so long, their cyber risk as an enterprise IoT device is often underestimated, said Matt Lewis, research director at NCC Group, in a statement to CIO Dive.

"Building security into the development lifecycle would mitigate most, if not all, of these vulnerabilities," said Lewis. "It's very important that manufacturers continue to invest in security for all devices, just as corporate IT teams should guard against IoT-related vulnerabilities with even small change: changing default settings, enforcing secure configuration guides and regularly updating firmware."

Cross-site scripting vulnerabilities top the list of weaknesses found by bug bounty hunters, according to Bugcrowd's 2019 State of Security report and a ranking from HackerOne.

Companywide cybersecurity strategies that involve comprehensive prevention and response measures are key to spotting and shoring up weak points like these in a corporate setting, said Lewis.

Cyberattacks cost the average U.S. company $13 million in 2018, a sticker price that prompted CEOs to name cybersecurity their biggest external concern in 2019

Liabilities for lax cybersecurity measures also include fines triggered by the exposure of user's personal data, in the context of expanding legislation on data privacy.

In July, the United Kingdom's Information Commissioner's Office (ICO) fined British Airways a record $230 million (£183.39 million) in the aftermath of the airline's 2018 data breach. Google, Facebook and Equifax have each faced sizeable fines from U.S. and European regulators in connection to unauthorized user data access.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Blackpoint Cyber Launches Global Partner Program and Enablement Platform Emphasizing a Focus o…
From Blackpoint Cyber
October 30, 2024
Newgen Software reports Revenues from operations at Rs 361 cr in Q2 FY’25, up 23% YoY
From Newgen Software
October 16, 2024
Tech Ambitions Collide with Reality: 2025 Technology Impact Report Exposes Critical Readiness…
From Omnia Strategy Group, LLC
October 21, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell