Two major security flaws recently discovered in nearly all the world’s microprocessors, termed Meltdown and Spectre, leave much of the world’s computers vulnerable to hackers looking to steal entire memory contents. They allow a malicious process that can read all memory on computers, cloud servers, and smartphones without permission and can impact a wide range of processors. The flaws impact any operating system, including mobile phones and computers, and and are being addressed worldwide by security pros. Researchers have recently reconstructed this exploit by spying on passwords, reconstructing images/photos, and obtaining business-critical documents from servers and desktops. Technology companies (e.g. Apple, HPE, Intel, AMD, Microsoft, RedHat) have responded by releasing firmware fixes to prevent further exploitation.
Overlooked IT assets are vulnerable
However, often-overlooked IT assets in a business enterprise are multifunction copiers, printers, and middleware solutions (e.g. cost recovery, access control). Gone are the days of these devices only holding data in volatile memory and outputting paper and envelopes. Today, they’re robust systems that include hard drives, act as an on-ramp to electronic document routing workflows, document management and accounting systems, and may even act as a file storage. As a result, these devices should be considered a regular part of an organization’s ongoing information security assessment and management activities.
Risk to MFDs is low, but significant
Epiq’s business process solutions technology group has been in ongoing communication with equipment and middleware vendors regarding this CPU vulnerability. Overall, the risk to most multifunction devices (MFDs) and middleware solutions is relatively low, due to the proprietary nature and closed architecture of their designs. For example, multiple vendors cite security layers and unique chipsets that make installation and execution of malicious code very difficult, if not impossible, such as requiring any new software installs be digitally signed by the equipment manufacturer prior to install.
That said, it’s important to ensure your firm’s patch management policy includes MFDs and middleware solutions to ensure these devices have the most current firmware and software applied, and to have ongoing coordination with your equipment providers or authorized equipment dealers to ensure all components (e.g. EFI Fiery or Xerox FreeFlow) have the latest operating system updates as well.
An additional layer of security can be applied by implementing a few basic steps to protect your business and your customers’ data:
-
Activating the device data erasure / data wipe feature to occur during or after a job is a good security measure; some devices allow data erasure to occur on a set schedule as well
-
Changing the device’s factory default password on your fleet
-
Disabling all USB ports
-
Disallowing scan-to-email jobs to be sent outside of your environment
-
Applying encryption to scan jobs and setting up secure printing
-
Deploying an equipment device monitoring solution (to better manage the fleet)
-
Increasing device security by disabling unused ports
While multifunction devices may be low-risk, it’s smart to take precautions against these threats. Savvy legal and IT practitioners will perform a thorough security and risk assessment, and then take steps to remediate areas of identified risk.
