How to reduce the risk of insecure firmware in office gear
- 13 August, 2014 10:13
A firmware study that found dozens of security problems affecting more than 120 products is a reminder to businesses to segregate and control access to networked office gear, experts say.
Researchers with Eurecom, a technology-focused graduate school in France, conducted the study on more than 30,000 firmware images taken from the websites of Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG, Belkin and other manufacturers.
The research found that firmware in more than 120 products contained at least some of the 38 vulnerabilities uncovered. The security problems included poorly protected encryption mechanisms and backdoors that could be exploited by hackers.
In general, firmware is used in managing interactions between the hardware and the higher-level software used to configure, manage and operate the device. Firmware is used in a variety of office equipment, such as wireless routers, copiers, printers and cameras.
Details of the study will be released next week at the 23rd Usenix Security Symposium in San Diego. However, the researchers have said that most of the firmware analyzed was in consumer gear.
However, printers, which cross the business and consumer markets, are seldom patched and represent the biggest non-computer security risk, Spencer McIntyre, technical specialist at SecureState, said.
"As far as printers go specifically, I would say those are the number one issue, as far as firmware updates and firmware vulnerabilities go for enterprise users in general," McIntyre said.
The best solution for reducing the risk posed by printers and other equipment is to keep them on a segregated network or to strictly control access, Robert Erbes, senior security consultant for IOActive, said.
"In order to protect against vulnerabilities embedded in firmware, the best approach is to be limiting to the point of paranoia who can talk to the vulnerable devices," Erbes said.
Networks used for printers, copiers and other devices should have strict white-listing technology that limits access only to computers identified through their IP addresses.
"You may be able to use other mitigations, but they will be device specific," Erbes said. "In other words, a vulnerability in the firmware of an IP camera can be mitigated differently than a vulnerability in the firmware of a piece of networking equipment."
The study's implications go beyond just office equipment to the emerging Internet of Things, which refers to the growing number of devices receiving and sending data over the Internet. These devices range from automobiles and home thermostats to health monitors.
Such device manufacturers need to design from the start with security in mind, Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, said.
In general, computers that control the devices have to be separated from computers used to monitor them over the Internet.
"To be safe, these things need to be designed to separate computers that control dangerous things from computers that monitor those things and communicate with insecure networks and the Internet," Ginter said.