Unsecured multi-functional devices put organisations at risk
Businesses are ignoring the security risks introduced by multi-functional devices (MFDs). IT teams are not well equipped to assess and handle these risks, and cyber security teams do not think MFDs fall under their domain.
MFDs are not covered in Red/Blue team exercises, or security audits, says Muyowa Mutemwa, RAD: senior cyber security specialist at the CSIR, adding that this needs to change in order to better protect these devices.
Red and blue team exercises take their name from the military. A group of security professionals, a red team, plays the role of the attacker, and an opposing group or the blue team, defends against the attack.
Mutemwa will be presenting on 'Cyber security threats and mitigation techniques for multifunctional devices', at the ITWeb Security Summit 2018, to be held from 21 to 25 May at Vodacom World in Midrand.
In terms of the types of threats facing MFDs, he says these devices' hard disk drives store sensitive information during their use, and when the device is returned to the original equipment manufacturer this sensitive information could be exposed.
"Over the Internet or local network, once the attacker has successfully logged on the device, the attacker can navigate to the document image storage of the device and view, and or retrieve previously executed jobs. An attacker can also steal the MFD's hard disk drive physically."
He adds that MFDs are usually connected to a local network that is connected to the Internet and as such, are vulnerable to basic network attacks like any other device on the corporate network. "MFD will remain vulnerable unless proper care has been taken to secure these devices by changing default configuration passwords, enabling image data auto-deletion, disabling storing image data onto the MFD's hard disk drive during job processing where possible, encrypting the MFD's hard drive, setting a password on the hard disk drive, blocking MFD ports that are not being used, and suchlike."
According to Mutemwa, for MFDs that do not have the above in place, it is possible to search for them, log in into their administrative accounts using default credentials and not only view the image data but also have the ability to recover that image data.
"This is because MFDs have hard disk drives that are no different to standard computer drives. Standard computer drives do not delete data stored on them when the data is deleted even when the hard disk drive is formatted using standard formatting techniques. By using a combination of free tools and proprietary tools, it is possible to not only view previously deleted data on a hard disk drive but to also recovery previously deleted data."