Which small business printer manufacturers take security/firmware updates seriously?

None.

Attackers really don't target printers for malware and virus. The most i have heard of is cooks trying to get ahold of the internal disk to try and retrieve old images of files.
 
k1pp3r said:
None.
Click to expand...

Word. They are better than the IOT devices that are rightfully getting a lot of heat lately, but printers generally don't get a ton of updates. That is likely because they aren't seen as a large attack vector, but it would be nice to see them maintained a bit better.

That said, the MFC-L9550CDW is a model that has been discontinued for a while, so it should be no surprise that there haven't been firmware updates for a while. If it ain't broke, they're not going to spend money to fix it.
 
Sadly, long term support mostly died when HP went over to the dark side ages ago. Today, you are lucky if you can get 3 year old driver/firmware for a 4 year old printer.

For security, best to rely on a proper edge device that blocks outside access to/from the IP range your printer(s) are in.

Unless you REALLY need the 'ohh shiney' cloud stuff, don't install it.
 
We have a lot of the Brother mult-function machines and there really aren't firmware updates. But there are a lot of controls to limit outside connectivity. You can get to that by simply logging into the printer at the printer IP address in a browser. Be sure to change all default passwords.
 
Oubadah said:
I thought it was worse than that. I just saw this in the HP Officejet Pro 8630 firmware changelog:



Have heard them talking about more vulnerabilities like that on the Security Now podcast.
Click to expand...
Yeah, but you have to consider that most printers are LAN devices vs Internet ones unlike cameras, etc. You'd have to get inside a LAN to attack it, and if you're already there, there's a lot better fish to prey on.
 
To be honest, I've kinda given up on a printer being 'secure', so I'm anxious to hear of any vendor that is taking it seriously.

You can minimize the risk by vlaning them off and securing the subnet. My printers don't have internet access, for instance. In fact, in a lot of cases, they can only talk to the print server(s) and even then only on specific ports.

Disabling services also goes a long way in minimizing the risk.
 
grasshoppa said:
To be honest, I've kinda given up on a printer being 'secure', so I'm anxious to hear of any vendor that is taking it seriously.

You can minimize the risk by vlaning them off and securing the subnet. My printers don't have internet access, for instance. In fact, in a lot of cases, they can only talk to the print server(s) and even then only on specific ports.

Disabling services also goes a long way in minimizing the risk.
Click to expand...
This is what I'd recommend as the best route for protection. And if you want to take it a crazy step further, put the printer on a separate physical lan and use second nics in each system that has to access it (old 10/100 cards would be great for this). Then it's a completely separate physical lan without any Internet access at all. The only attack vector in a configuration like this is from an individual computer. And even if the printer gets compromised, it can't talk to anyone on the outside world.
 
Could maybe consider putting all the printers on a separate vlan, that will allow you to setup firewall rules such as ensuring they can't "call home" or do anything weird, and also ensure that they can't access the rest of the network except where necessary. So if by chance one does get somehow compromised or turns out to have some fishy firmware, it won't be able to access anything. Basically the vlan would only really need to allow connectivity to the printers from the print server's IP.
 
Red Squirrel said:
Could maybe consider putting all the printers on a separate vlan, that will allow you to setup firewall rules such as ensuring they can't "call home" or do anything weird, and also ensure that they can't access the rest of the network except where necessary. So if by chance one does get somehow compromised or turns out to have some fishy firmware, it won't be able to access anything. Basically the vlan would only really need to allow connectivity to the printers from the print server's IP.
Click to expand...
That's pretty much the idea, ya. I usually try to lock things down a bit further and only allow communication over port tcp9100, although this can sometimes vary depending on the printer ( the consumer level printers are a bit sloppier about their port usage ).

This limits the attack surface to the print drivers themselves, which is still a significant vector and why I try to use the OS-built in drivers first ( PS, PCL ).

Yes, I'm paranoid.
 
You must log in or register to reply here.
Back
Top