Saturday, February 18, 2017

You don't need printer security

So there's this tweet:



What it's probably refering to is this:


This is an obviously bad idea.

Well, not so "obvious", so some people have ask me to clarify the situation. After all, without "security", couldn't a printer just be added to a botnet of IoT devices?

The answer is this:
Fixing insecurity is almost always better than adding a layer of security.
Adding security is notoriously problematic, for three reasons

  1. Hackers are active attackers. When presented with a barrier in front of an insecurity, they'll often find ways around that barrier. It's a common problem with "web application firewalls", for example.
  2. The security software itself can become a source of vulnerabilities hackers can attack, which has happened frequently in anti-virus and intrusion prevention systems.
  3. Security features are usually snake-oil, sounding great on paper, with with no details, and no independent evaluation, provided to the public.

It's the last one that's most important. HP markets features, but there's no guarantee they work. In particular, similar features in other products have proven not to work in the past.

HP describes its three special features in a brief whitepaper [*]. They aren't bad, but at the same time, they aren't particularly good. Windows already offers all these features. Indeed, as far as I know, they are just using Windows as their firmware operating system, and are just slapping an "HP" marketing name onto existing Windows functionality.

HP Sure Start: This refers to the standard feature in almost all devices these days of having a secure boot process. Windows supports this in UEFI boot. Apple's iPhones work this way, which is why the FBI needed Apple's help to break into a captured terrorist's phone. It's a feature built into most IoT hardware, though most don't enable it in software.

Whitelisting: Their description sounds like "signed firmware updates", but if that was they case, they'd call it that. Traditionally, "whitelisting" referred to a different feature, containing a list of hashes for programs that can run on the device. Either way, it's a pretty common functionality.

Run-time intrusion detection: They have numerous, conflicting descriptions on their website. It may mean scanning memory for signatures of known viruses. It may mean stack cookies. It may mean double-checking kernel modules. Windows does all these things, and it has a tiny benefit on stopping security threats.

As for traditional threats for attacks against printers, none of these really are important. What you need to secure a printer is the ability to disable services you aren't using (close ports), enable passwords and other access control, and delete files of old print jobs so hackers can't grab them from the printer. HP has features to address these security problems, but then, so do its competitors.

Lastly, printers should be behind firewalls, not only protected from the Internet, but also segmented from the corporate network, so that only those designed ports, or flows between the printer and print servers, are enabled.

Conclusion

The features HP describes are snake oil. If they worked well, they'd still only address a small part of the spectrum of attacks against printers. And, since there's no technical details or independent evaluation of the features, they are almost certainly lies.

If HP really cared about security, they'd make their software more secure. They use fuzzing tools like AFL to secure it. They'd enable ASLR and stack cookies. They'd compile C code with run-time buffer overflow checks. Thety'd have a bug bounty program. It's not something they can easily market, but at least it'd be real.

If you cared about printer security, then do the steps I outline above, especially firewalling printers from the traditional network. Seriously, putting $100 firewall between a VLAN for your printers and the rest of the network is cheap and easy way to do a vast amount of security. If you can't secure printers this way, buying snake oil features like HP describes won't help you.

2 comments:

pcab50 said...

Yes, that's even more true as the printer industry has to fix massive security issues, as Jens Müller recently demonstrated: Hacking Printers Advisory 1/6: PostScript printers vulnerable to print job capture.

Greg Nation said...

> Lastly, printers should be behind firewalls

I thought that no organization should use firewalls of any type, because they break the end-to-end principle of the Internet. I've even heard someone say that they should be banned by law. If this is the case, then security has to be built into the printer.

I can confidently say that I trust HP's printer security just as much as I trust Yahoo's email security.