The Internet of Things – Including Printers – Poses Significiant Security Risks, Warns FBI
The bureau notes that the Internet of Things (IoT) refers to any object or device that connects to the Internet to automatically send and/or receive data. And, as more businesses and consumers use Web-connected devices, their connection to the Internet also increases the target space for malicious cyber criminals.
Risks include deficient security capabilities and difficulties patching vulnerabilities in these devices, as well as a lack of consumer security awareness. This provide cyber criminals with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, and even interfere with physical safety. The main IoT risks include:
- An exploitation of the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices. The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber criminals can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping.
- An exploitation of default passwords to send malicious and spam e-mails, or steal personal identities or credit-card information.
- Overloading the devices to render the device inoperable.
- Interfering with business transactions.
Unsecured or weakly secured devices provide opportunities for cyber criminals to intrude upon private networks and gain access to other devices and information attached to these networks. Devices with default passwords or open Wi-Fi connections are an easy target for cyber actors to exploit.
For consumers, the FBI recommends:
- Isolate IoT devices on their own protected networks.
- Disable UPnP on routers.
- Purchase IoT devices from manufacturers with a track record of providing secure devices.
- When available, update IoT devices with security patches.
- If a device comes with a default password or an open Wi-Fi connection, change the password and only allow the device to operate on a home network with a secured Wi-Fi router.
- Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device.
- Ensure all default passwords are changed to strong passwords. Don’t use the default password set by the device manufacturer. Many default passwords can be easily located on the Internet. Don’t use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device doesn’t provide the ability to change the password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.
- September 2014: Canon PIXMA Printer Hacked to Demonstrate Vulnerability of ‘Internet of Things’
- March 2013: Evernote Cloud-Based Document-Sharing Site Hacked
- November 2012: Samsung Printers Vulnerable to Hacking via SNMP
- October 2012: Securing MFPs for the Enterprise and McAfee Embedded Control Software