Network breach through MFP?

Re: Network breach through MFP?

We have discovered several attempts but no actual breach. We would like to think it is because we disable anything the customer does not use, no apple units - disable Bonjour, don't use ftp disable it, the network does not use NetBios -turn it off, no IPP printing it has to run through the server, reducing the footprint exposed to the outside goes a long way to mitigating any exposure. We also restrict USB host printing as you can not rely on users not introducing malware with files they download at home to a thumb drive and then try to print it on the office device. Unfortunately, it will also depend on how security aware the IT dept is. If the MFP is on an internal network, how does the malware get to the MFP in the first place? It is either through weak network practices or weak internal controls on the users.

Re: Network breach through MFP?

Had a customer that had some MFPs were compromised by use of IPP. The units kept spitting out full black prints or "garbage" prints. I turned off all protocols that they didn't need.

Re: Network breach through MFP?

if they got into your machine they are already in your network most likely. some machine use vx works to help stop this type of this like a virus.

Re: Network breach through MFP?

MFP security is a valid concern....but it is a PARTNERSHIP between the dealer and the customer as to how to work with it effectively and efficiently.

Just by the nature of what modern MFPs do, they can never be 100% secure. The very features that make them desirable dictate that there be some degree of exposure, however slight.

Customer IT departments who try to place that responsibility completely on our shoulders are in need of some serious education. If they are persnickety about MFP security, it is a discussion that must be understood and agreed upon...in writing.

I have a number of major accounts who have "build sheets", outlining exactly what needs to be configured and how. Those decisions were all made well before the machines ever hit the door.

Re: Network breach through MFP?


We are pretty much on the same page on your last paragraph. We have procedure in place to say what the machine can and can not do.

Thanks for feedback everyone.

Re: Network breach through MFP?

I am unfortunately aware of two instances on different continents where serious breaches have occurred. I am most certainly not going to go into details of vendors or how it was actually done but needless to say make sure firmware is up to date as your vendors should be aware of issues by now.

One instance was devices being used as zombies to launch attackes on internal 'targets' including a mail server (which spammed external customers). Another was a number of devices used as a platform to access external resources and also become a spam bot.

As has been said already turn off what the customer does not need. People forget about port forwarding but make sure this is off if your vendor devices support this. Currently there is a major concern with Bluebourne for all vendors that is being investigated. Turn off Wifi Direct if not required.

Enable Egress filtering on the network and gateway (ISP may have to do the latter) to prevent spoofing. If the customer is serious about security then suggest impementing IDS and IPS kit and services if they haven't already.

Sales staff do need to inform customers that even the most secure devices (potentially) are anything but 'out of the box' but customers are not told this from my experience.

Re: Network breach through MFP?

I've seen several instances where customers have inadvertently made their MFP's accessible on the public internet, not too fun, especially with a default password for the interface no less! My regular suggestions are:

1. Strong web interface password
2. Place MFP's and printers on a separate VLAN. Allow printer ports (9100, 515, etc) inbound from a print server(s), allow only services used (scanning, email, etc.) for outgoing access. Limit access to web interface to the VLAN and restrict workstation access to it.
3. Disable all unused protocols (Telnet, SSH, Bonjour)
4. Strong password for User Tools, separate password for Service to use (I add a separate admin account on all of our machines)
5. Ensure any drive encryption is turned on. My main thinking is that exfiltration of data from an MFP hard drive is overblown, but it often gives the customer an extra degree of comfort.