There is no question that the cyber landscape is becoming increasingly complex and diverse. At the same time, companies often forget that printing systems, telephones and multifunction devices must also be integrated into their own IT security strategy.
Can my printer be hacked?
Paper inserted incorrectly, it doesn’t stop printing or doesn’t start at all … In times of digitalisation, many employees have a love-hate relationship with company printers. Thanks to their own operating system, web servers and network technologies, printers are becoming more and more intelligent, powerful and – the dangerous thing about it – networked! Because this is accompanied by many risks – not to mention tablets, smartphones and other end devices. Nevertheless, according to the IDC report, only 89 per cent of those surveyed see desktop and notebook PCs as part of their endpoint security strategy.¹ For 48 per cent, printers are not even included, even though it is precisely these that have the same security-relevant factors as a PC: With a hard disk and a direct wired or wireless connection to the IT infrastructure, hackers could directly access sensitive company information. With the small mini-computers that printers are today, hackers can redirect print jobs to view confidential documents or even introduce malware that can spread to the entire network. Now when you hear that 80,000 printers are found openly accessible on the internet every day, this fact should make companies think twice.
“The number of end devices such as smartphones and laptops is increasing with new work models such as Smart Work. And the less secure they are, the more points of attack there are for IT security.”– Thomas Malchar, CEO of MATESO
Hacker attacks on telephone systems
Especially in times of home office, the protection of end devices is especially important. An ancient hack, which was revived by the pandemic, serves as example: DECT telephones can be controlled from the outside, so that sales staff, for example, can listen to their mailbox while on the move. To do this, they simply call their own number and can access further functions via PIN entry. However, this feature is not used very often … In fact, most of the time the phones are still protected with the default pin, which was specified by the manufacturer (0000). Now came the Covid 19 lockdown and hackers started Voice and Identity Frauds on companies. With the help of mass attacks on company phones, for example, as many chargeable (international) calls as possible were made. The hacker became the provider of the chargeable number and thus received the money that was charged to the companies in telephone costs. So as long as terminal devices such as telephones have access to the outside world, the credentials are potentially always at risk.
How do I protect end devices?
This hack could easily have been prevented by, for example, automatically resetting the PIN after each access … Companies should also definitely protect Internet-capable printers and networks from unauthorised access with passwords and firewalls. The configuration and maintenance of such devices should only be allowed by secure accounts. Remote access should only be possible via encrypted connections. This is because if the connection is unencrypted, attackers could intercept data using “man-in-the-middle” attacks.
Laptops, smartphones and tablets can also be secured with a second factor. Thus, in the event of loss or theft, the employee’s fingerprint or token is still required to open Password Safe. Find out more about two-factor authentication here.
¹ IDC InfoBrief, sponsored by HP Inc, Do You Think Your Endpoint Security Strategy Is Up to Scratch, IDC #EUR145260919, Oct 2019