How to reduce the risk of insecure firmware in office gear

A firmware study that found dozens of security problems affecting more than 120 products is a reminder to businesses to segregate and control access to networked office gear, experts say.

Researchers with Eurecom, a technology-focused graduate school in France, conducted the study on more than 30,000 firmware images taken from the websites of Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG, Belkin and other manufacturers.

[ERP: Protecting the pipeline by focusing on business-critical platforms]

The research found that firmware in more than 120 products contained at least some of the 38 vulnerabilities uncovered. The security problems included poorly protected encryption mechanisms and backdoors that could be exploited by hackers.

In general, firmware is used in managing interactions between the hardware and the higher-level software used to configure, manage and operate the device. Firmware is used in a variety of office equipment, such as wireless routers, copiers, printers and cameras.

Details of the study will be released next week at the 23rd Usenix Security Symposium in San Diego. However, the researchers have said that most of the firmware analyzed was in consumer gear.

However, printers, which cross the business and consumer markets, are seldom patched and represent the biggest non-computer security risk, Spencer McIntyre, technical specialist at SecureState, said.

"As far as printers go specifically, I would say those are the number one issue, as far as firmware updates and firmware vulnerabilities go for enterprise users in general," McIntyre said.

The best solution for reducing the risk posed by printers and other equipment is to keep them on a segregated network or to strictly control access, Robert Erbes, senior security consultant for IOActive, said.

"In order to protect against vulnerabilities embedded in firmware, the best approach is to be limiting to the point of paranoia who can talk to the vulnerable devices," Erbes said.

Networks used for printers, copiers and other devices should have strict white-listing technology that limits access only to computers identified through their IP addresses.

"You may be able to use other mitigations, but they will be device specific," Erbes said. "In other words, a vulnerability in the firmware of an IP camera can be mitigated differently than a vulnerability in the firmware of a piece of networking equipment."

The study's implications go beyond just office equipment to the emerging Internet of Things, which refers to the growing number of devices receiving and sending data over the Internet. These devices range from automobiles and home thermostats to health monitors.

Such device manufacturers need to design from the start with security in mind, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, said.

[Backdoor found in D-Link router firmware code]

In general, computers that control the devices have to be separated from computers used to monitor them over the Internet.

"To be safe, these things need to be designed to separate computers that control dangerous things from computers that monitor those things and communicate with insecure networks and the Internet," Ginter said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags managementNetworkingXeroxD-Linkphilipsconsumer electronicsdigital camerassiemensbelkinCamerasAccess control and authenticationOffice Hardwaresecurity adviceSecurity Hardware and Softwaresecurity researchsecurity best practicessecurity and riskIdentity & Accessfirmwaresecurity flawsSecurity Controlsprinter securityBoschsecurity awareness tipsprinter security issues

More about BoschLGPhilipsSamsungXerox

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts