IT vulnerabilities become physical security challenges with recent college bomb threats

June 23, 2017
Hoaxes perpetrated using printers, fax machines expose glaring weakness in campus security

Earlier this month, USA Today reported that universities nationwide have recently suffered a rash of hoax bomb threats sent to printers and fax machines on their campuses.  Among the schools impacted, according to the report, include Vanderbilt University, University of Virginia, University of Southern California, and University of Detroit-Mercy. 

While the incidents, which have been said to include a threat to detonate a bomb on campus unless demands for a $25,000 ransom be paid to a Brazilian citizen via Western Union transfer, do not seem credible on the surface ­– they still have to be taken serious by the school’s administration and security team all the same, leading to significant disruption of their operations.  

School security expert Patrick Fiel, who formerly  served as the executive director of security for the Washington, D.C. Public School System, says they once received over 90 bomb threats in a single year which not only interrupted teaching time but were “very time consuming” and “costly.” After meeting with police and other emergency personnel along with legal and school administrators to discuss lessons learned, Fiel, who now serves as president of PVF Security Consulting, says they were able to put a significant dent in the problem.

“The following year we were able to reduce about 90 percent of the threats,” Fiel says. “We made several arrests and suspended or expelled students.”

However, the problem facing campus security administrators today extends beyond simply tracing where phone calls or hand-written notes originated, but how to keep pranksters and cyber criminals from being able to exploit vulnerabilities in internet-connected devices like printers.

According to Ashish Malpani, who formerly headed up product management activities for Dell-EMC’s campus networking portfolio and now serves as a director of product marketing at HID Global, there are secure print capabilities available today that would enable universities to require that students, faculty members and others be physically present – authenticating their identity with a code, student ID number, etc. – whenever something is printed on a device. But that simply may not be feasible in a world that requires technology to be convenient and easy to use from anywhere.

With that being said there are a number of different steps that colleges can take to better secure their campus printers. Among these include: 

  • Changing Default Passwords. One of the first things Malpani advises that universities, businesses and others who may be exposed to these types of printer-delivered threats should do is change the default passwords on the printer’s web server, which is oftentimes something that hackers can easily guess, such as “123456” or “password.” “In most cases this doesn’t get changed and that is why these printers become very vulnerable,” he adds.
  • Restrict Access Geographically. Malpani says it is also a good idea to restrict access to printers to IP addresses located within a specific geographic area surrounding a campus. However, this can also present a challenge to students and faculty members that want to utilize cloud printing applications. “Let’s say I wrote something in my dorm and I want to print it out on my way to class, so I issue a print command… and then it gets printed on the university network,” he says. “Those kinds of scenarios will not be possible if you limit printing to IP addresses on campus because most students do not have university IP addresses.
  • Disable Non-Essential Services. Because many printers today are nearly full-functioning computers in some cases and can run a number of different services on them, Malpani says universities should think about disabling all of the services they don’t need to prevent cyber criminals from having yet another entry point into the device.
  • Install the Latest Firmware Patches. Campus IT administrators need to make sure that all of the firmware updates released by the manufacturers of their printers are kept up to date, which can be problematic due to the fact that there is not a lot of patch management software available for printers. “Usually you have patch management for servers, your networking equipment and all sorts of other things, but there are very few options available for people to deploy for printers,” he adds. “What that means, as an IT administrator, is I have to manage this manually until these printers are up to date but, as a best practice, you should be doing that.”
  • Properly Dispose of Equipment. Once a printer has reached the end of its lifecycle, Malpani says they need to be disposed of in a proper manner to ensure that sensitive data stored in their hard drive is not compromised.

When it comes to fax machines, Malpani says there is very little that can be done to prevent threats and other unwanted spam from being sent to them. However, because the capabilities of traditional fax machines have now, in many ways, simply been incorporated into modern printers, their use among today’s universities and businesses is extremely limited.

Moving forward in looking at how the process of printing is evolving, Malpani says cloud applications are going to play a much bigger role and thus require greater security protocols. 

“Other manufacturers are trying to be, in a way, Uber for printing with the idea being you could go to any printer that is authorized and say, ‘Ok, print this document,’ and it comes out,” Malpani says. “That definitely changes the threat vectors going forward. Also, most printers now support wireless printing which introduces another threat of if I want to hack a printer or a user; I don’t even have to be in close proximity. As administrators, we need to be more vigilant and understand how these threat vectors are changing and ensure that the printing capabilities of the organization are part of your security policy and audit procedures.”

About the Author: 

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.