How to reduce the risk of insecure firmware in office gear

A firmware study that found dozens of security problems affecting more than 120 products is a reminder to businesses to segregate and control access to networked office gear, experts say.

Researchers with Eurecom, a technology-focused graduate school in France, conducted the study on more than 30,000 firmware images taken from the websites of Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG, Belkin and other manufacturers.

[ERP: Protecting the pipeline by focusing on business-critical platforms]

The research found that firmware in more than 120 products contained at least some of the 38 vulnerabilities uncovered. The security problems included poorly protected encryption mechanisms and backdoors that could be exploited by hackers.

In general, firmware is used in managing interactions between the hardware and the higher-level software used to configure, manage and operate the device. Firmware is used in a variety of office equipment, such as wireless routers, copiers, printers and cameras.

Details of the study will be released next week at the 23rd Usenix Security Symposium in San Diego. However, the researchers have said that most of the firmware analyzed was in consumer gear.

However, printers, which cross the business and consumer markets, are seldom patched and represent the biggest non-computer security risk, Spencer McIntyre, technical specialist at SecureState, said.

"As far as printers go specifically, I would say those are the number one issue, as far as firmware updates and firmware vulnerabilities go for enterprise users in general," McIntyre said.

The best solution for reducing the risk posed by printers and other equipment is to keep them on a segregated network or to strictly control access, Robert Erbes, senior security consultant for IOActive, said.

"In order to protect against vulnerabilities embedded in firmware, the best approach is to be limiting to the point of paranoia who can talk to the vulnerable devices," Erbes said.

Networks used for printers, copiers and other devices should have strict white-listing technology that limits access only to computers identified through their IP addresses.

"You may be able to use other mitigations, but they will be device specific," Erbes said. "In other words, a vulnerability in the firmware of an IP camera can be mitigated differently than a vulnerability in the firmware of a piece of networking equipment."

The study's implications go beyond just office equipment to the emerging Internet of Things, which refers to the growing number of devices receiving and sending data over the Internet. These devices range from automobiles and home thermostats to health monitors.

Such device manufacturers need to design from the start with security in mind, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, said.

[Backdoor found in D-Link router firmware code]

In general, computers that control the devices have to be separated from computers used to monitor them over the Internet.

"To be safe, these things need to be designed to separate computers that control dangerous things from computers that monitor those things and communicate with insecure networks and the Internet," Ginter said.

Join the CSO newsletter!

Error: Please check your email address.

Tags siemensXeroxBoschSecurity Controlsphilipssecurity awareness tipssecuritysecurity best practicesAccess control and authenticationSecurity Hardware and SoftwareD-Linkprinter security issuessecurity researchdigital camerasaccess controlsecurity flawssecurity and riskfirmwareNetworkingbelkinsecurity adviceCamerasOffice HardwareIdentity & Accessmanagementprinter securityconsumer electronics

More about BoschLGPhilipsSamsungXerox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place