New MFP security level: imageRUNNER ADVANCE III

With the increase in built-in functions, office multifunction printers have long gone beyond trivial scanning / printing. Now they have become full-fledged independent devices integrated into high-tech local and global networks that connect users and organizations not only within one office, but throughout the world.

In this article, together with Luka Safonov, an expert in practical information security, LukaSafonov, we will look at the main threats to modern office multifunction devices and ways to prevent them.

Modern office equipment has its own hard drives and operating systems, thanks to which the MFP can perform a wide range of workflow tasks independently, removing the load from other devices. However, such a high technical equipment has a downside. Since the MFPs are actively involved in the transmission of data over the network, without proper protection, they become vulnerable places throughout the organization’s network environment. The security of any system is determined by the degree of protection of the weakest link. Therefore, any costs of protective measures for servers and enterprise computers become meaningless if the attacker still has a loophole through the multifunction printer. Understanding the problem of protecting confidential information, Canon developers have improved the security level of the third version of the imageRUNNER ADVANCE platform, which will be discussed in the article.
')

Main threats

There are several potential risks associated with the use of IFIs in organizations:

• Hacking the system through unauthorized access to the MFP and use as a "reference point";
• The use of MFPs for exfiltration of user data;
• Interception of data when printing or scanning;
• Access to data of persons who do not have appropriate access;
• Access to printed or scanned confidential information;
• Access confidential data on devices that have expired.
• Sending documents by fax or email to the wrong address intentionally or as a result of a typo;
• Unauthorized viewing of confidential information stored on unprotected multifunction devices;
• The total stack of printed tasks belonging to different users.

“Indeed, modern MFPs often have great potential for an attacker. Our project experience shows that unconfigured devices, or devices, without an adequate level of protection, give attackers a great opportunity to expand the so-called. "Attack surface". This is a list of accounts, network addressing, the ability to send email messages and much more. Let's try to find out whether the solutions offered by Canon are capable of neutralizing these threats. ”

For each type of vulnerability in the new platform imageRUNNER ADVANCE provides a whole range of complementary measures that provide multi-level protection. It should be noted that the development required a specific approach because of the peculiarities of the MFP. When printing and scanning documents, there is a transition of information from the digital to the analog form or vice versa. Each of these types of information requires fundamentally different ways to ensure protection. Usually at the junction of technologies, due to their heterogeneity, the most vulnerable place is formed.

“Often, the MFPs are easy targets for both pentesters and intruders. As a rule, this is due to the negligence of setting up such devices and their relatively easy accessibility, both in the office environment and in the network infrastructure. Of the latter cases, an indicative attack that occurred on November 29, 2018, when a Twitter user under the pseudonym TheHackerGiraffe “hacked” more than 50,000 network printers and printed leaflets on them calling to subscribe to a certain PewDiePie YouTube channel. On Reddit, TheHackerGiraffe stated that he could compromise more than 800,000 devices, but limited himself to only 50,000. At the same time, the hacker stressed that the main problem was that he had never done anything like that before, but all the preparations and the hack themselves occupied him only half an hour".

When Canon develops technologies, products, and services, their potential impact on customers' work environments is taken into account. That is why Canon's office multifunction printers are equipped with a wide range of built-in and additional security features that allow companies of all sizes to achieve the required level of protection.



Canon uses one of the most stringent security checks in the entire office equipment industry. The technologies used in the devices are tested for compliance with company standards. Much attention is paid to security checks with the conduct of current examinations, the results of which have received positive feedback on the operation of devices from companies such as Kaspersky Lab, COMLOGIC, TerraLink and JTI Russia and others.

“Despite the fact that in today's reality it is logical to increase the safety of their products, this principle is not all companies follow. Companies are starting to think about the protection after the hacking facts (and user pressure) of certain products. On this side, Canon’s solid approach to the implementation of methods and measures of protection is indicative. ”

Unauthorized access to the MFP

Very often, unprotected MFPs are among the priority goals of both internal violators (insiders) and external ones. In today's reality, the corporate network is not limited to one office, but includes a group of departments and users with different geographic locations. Centralized workflow requires remote access and the inclusion of the MFP in the corporate network. Network printers are related to the Internet of Things, and their protection is often not given due attention, which leads to a general vulnerability of the entire infrastructure.

To protect against such threats, the following measures have been implemented:

• IP and MAC address filtering - setting the permission to communicate only with devices that have specific IP or MAC addresses. This function regulates the transmission of data both within the network and its output beyond its limits.
• Proxy server configuration - thanks to this function, you can delegate the management of MFP connections to a proxy server. This feature is recommended when connecting to devices outside the corporate network.
• IEEE 802.1X authentication is another protection against connecting devices that are not authorized by the authentication server. Unauthorized access is blocked by a LAN switch.
• Connection via IPSec - protects against attempts to intercept or decrypt IP packets transmitted over the network. It is recommended to use TLS communication with additional encryption.
• Port Management - designed to protect against insider assistance to intruders. This function is responsible for configuring the configuration of port parameters in accordance with the security policy.
• Automatic Certificate Registration — This feature gives system administrators a handy tool to automatically issue and update security certificates.
• Wi-Fi direct - a feature designed for secure printing from mobile devices. For this, the mobile device does not need to be connected to the corporate network. Using Wi-Fi direct, a local peer-to-peer device-MFP connection is created.
• Log monitoring - all events on the use of the MFP, including blocked connection requests, are recorded in various system logs in real time. By analyzing the records, you can detect potential and existing threats, build a preventive security policy and conduct an expert assessment of an information leakage that has already occurred.
• Encrypting data when interacting with the device - this option encrypts print jobs when they are sent from a user PC to a multifunction printer. You can also encrypt scanned data in PDF format by activating a universal set of security features.
• Guest printing from mobile devices. Software for managing secure network printing and scanning eliminates frequency problems related to printing security from mobile devices and guest printing by providing external ways to send print jobs, such as email, the Internet, and a mobile application. This ensures that the MFP works with a safe source, minimizing the likelihood of hacking.

“Sharing these types of devices in addition to convenience and cost reduction entails the risks of access to third-party information. This can be used not only by attackers, but also by unscrupulous employees to extract personal gain or to obtain insider information. And the great potential of the processed information - from technological secrets to financial documentation - is a significant priority for an attack or illegitimate use. ”

An innovation of the new version of the imageRUNNER ADVANCE platform is the ability to connect printing devices to two networks. This is very convenient when the multifunction device is used simultaneously in corporate and guest mode.

Hard Disk Protection

A multifunction printer always stores a large amount of data that needs to be protected — from print jobs in the queue to received faxes, scanned images, address books, activity logs and job history.

In fact, the disk is only temporary storage, and finding information on it for longer than the required time increases the vulnerability of the corporate security system. To prevent this from happening, in the settings you can set the rules for cleaning the hard disk. In addition to the fact that print jobs are cleared immediately after the execution or in case of print failures, other files can be deleted according to a schedule with the cleaning of residual data.

“Unfortunately, even many IT professionals are poorly aware of the role of the hard disk in modern printing devices. The presence of a hard disk can significantly reduce the duration of the preparatory stage of printing. Hard disk drives usually store system information, image files, and rasterized images for printing copies. In addition to incorrectly disposing of the MFP and the possibility of data leakage, there is a possibility of dismantling / stealing a hard disk for analysis, or conducting specialized attacks to exfiltrate data, for example, using the Printer Exploitation Toolkit. ”

Canon devices offer a range of tools to protect data at all stages of a device’s life cycle, as well as to preserve their confidentiality, integrity and availability.
Much attention is paid to the protection of data on the hard disk. Information stored there may have different degrees of confidentiality. Therefore, on all 26 models of devices within 7 different series of the new version of the imageRUNNER ADVANCE platform, HDD encryption is used. It complies with the FIPS 140-2 Level 2 security standard adopted by the US government, as well as the Japanese equivalent of JCVMP.

“It is important to have a system of access to information that takes into account user roles and access levels. For example, in many companies the discussion of salaries among employees is strictly prohibited, and the leakage of payroll or information about bonuses can provoke a serious conflict in the team. Unfortunately, such cases are known to me; in one of them, this led to the dismissal of the employee responsible for this kind of leakage. ”

• Hard drive encryption ImageRUNNER ADVANCE devices encrypt all data on the hard disk to increase security.
• Cleaning the hard drive. Some data, such as data from copied or scanned images, as well as data from documents printed from a computer, is stored on the printer’s hard drive for a limited time and deleted after the corresponding job.
• Initialization of all data and parameters. To prevent data loss when replacing or disposing of a hard disk, you can overwrite all documents and data on the hard disk, and then reset the settings to default values.
• Backup hard drive. Companies were able to back up data from the device’s hard disk to an additionally purchased hard disk. When backing up data on both hard drives are fully encrypted.
• Removable hard disk kit. This option allows you to remove the hard drive from the device for safekeeping until the device is in use.

Critical data leakage

All companies deal with confidential documents such as contracts, agreements, accounting documents, customer data, development department plans, and more. If such documents fall into the wrong hands, the consequences can range from reputation damage to large fines or even lawsuits. Attackers can gain control over company assets, insider or confidential information.

“It is not only competitors or fraudsters who steal valuable information. There are often cases when employees decide to develop their business or secretly earn money by selling information to the side. In such situations, the printer becomes their main assistant. Any transfer of data within the company is easy to track. In addition, access to valuable information is not ordinary employees. And what could be simpler for an ordinary manager than to steal a valuable document lying idle? Everyone will cope with such task. Printed documents do not even always need to make the organization. Quickly enough to photograph the materials lying around idle on the phone with a good camera. ”

Canon offers a range of security solutions to help you protect sensitive documents throughout their life cycle.

Confidentiality of printed documents

The user can set the print PIN code so that the document can be printed only after entering the correct PIN code on the device. This allows you to protect confidential documents.

“Often, the MFP can be seen in the public places of the organization - for the convenience of users. These can be halls and meeting rooms, corridors and reception rooms. Only the use of identifiers (PIN codes, smart cards) will ensure the safety of information in the context of user access level. Noteworthy cases are when users got access to previously sent documents, passport scans, etc. due to inadequate monitoring and the lack of data cleansing functions. ”

On the imageRUNNER ADVANCE device, the administrator can suspend all sent print jobs — thus, users will have to log in to print, thereby protecting the confidentiality of all printed materials.

Print jobs or scanned documents can be stored in mailboxes for access at any convenient time. Mailboxes can be protected with a PIN code so that only designated users can access their content. Frequently printed documents (such as letterheads and forms) that require careful handling can be stored in this protected space on the device.

Full control over sending documents and faxes

To reduce the risk of information leakage, administrators can restrict access to various recipients, for example, those who are not in the address book on an LDAP server, which are not registered in the system or on a specific domain.

To prevent documents from being sent to incorrect recipients, you must disable the automatic completion of email addresses.

Setting a PIN to protect will protect the device’s address book from unauthorized user access.

Requesting users to re-enter a fax number will prevent documents from being sent to incorrect recipients.

Protecting documents and faxes in a confidential folder or PIN-code will ensure reliable storage of documents in memory without printing them.

Checking the source and authenticity of the document

You can add a device signature to scanned PDF or XPS documents using a key and a certification mechanism — this way the recipient can verify the source and authenticity of the document.

“In an electronic document, an electronic digital signature (EDS) is its requisite, designed to protect this electronic document from forgery and allows you to identify the owner of the signature key certificate, and also to establish the absence of distortion of information in the electronic document. This ensures the safety of the transmitted document and the exact identification of its owner, which allows to preserve the accuracy of the information. ”

User Signature allows you to send PDF or XPS files with a unique digital user signature obtained from a certification company. This way, the recipient will be able to verify who signed the document.

Integration with ADOBE LIFECYCLE MANAGEMENT ES

Users can protect PDF files and apply uniform and dynamic policies to them to control access and usage rights, as well as to protect confidential and valuable information from inadvertent or malicious disclosure. Security policies are supported at the server level, so the rights can be changed even after the file is distributed. The imageRUNNER ADVANCE series devices can be configured to integrate with Adobe ES.

Secure printing uniFLOW MyPrintAnywhere is sending print jobs through the universal driver and printing them on any network printer.

Prevent duplicates

Drivers allow you to print visible marks on a page, which are located on top of the contents of the document. This can be used to inform employees about the confidentiality of the document and prevent it from being copied.

Printing / copying with invisible watermarks - documents will be printed or copied with embedded hidden text on the background, which will appear when creating a duplicate and play the role of a deterrent.

The NTware uniFLOW software capabilities (part of the Canon group of companies) provide additional efficient workflow security tools.
Using uniFLOW in combination with iW SAM Express will allow you to digitize and archive documents sent to the printer or received from the device, as well as analyze text data and attributes when responding to security threats.

Tracking the source of the document through the embedded code.

Block scan of documents - this option embeds hidden code in printed documents and copies, which prevents their further copying on the device on which this function is activated. The administrator can use this parameter for all tasks or only tasks selected by the user. TL and QR codes are available for embedding.

“As a result of the tests and acquaintance with the functionality of the imageRUNNER ADVANCE III technology, we were able to confirm the main correspondences to modern IT security policies. The above protective measures meet the basic security requirements and are able to minimize the risks of breach of information security. ”

---

The latest imageRUNNER ADVANCE devices are equipped with a security policy feature that allows an administrator to manage all security settings in one menu and edit them before being used as a device configuration. After use, device use and parameter changes should occur in accordance with this policy. The security policy can be protected with a separate password so that it provides additional management and protection capabilities, and only the IT security officer has access to it.

"It is necessary to find and maintain a balance between security and convenience, competently using technological advances and technical solutions to protect information, use qualified personnel and skillfully manage the provided means to ensure the security of the company."

Assistance in the preparation of the material - Luka Safonov, Head of the Laboratory of Practical
security analysis, Jet Infosystems.