A recent news story told of a Columbia University experiment that showed that hackers could attack mundane office equipment like faxes and copiers. In the experiment, the students were able to hack into a HP printer with firmware, taking complete control of the machine. Once done, they could access anything being printed, use the printer as a gateway to networked computers and even overload the printer to the point that it caught fire. HP downplayed the issue, but most machines made prior to 2009 have no built-in security whatsoever.
This experiment highlights the fact that cyber and physical security programs should consider not just the obvious targets like intellectual property and information stored on computers, but any equipment that is networked. These days “any equipment that is networked” includes not only our computers and office equipment, but also networked electronics used for physical security. Networked sensor alarms alert us to intrusions, fires and nearly all other hazards. We use video surveillance to monitor sensitive areas and computer screens to monitor the feeds. Computers often control physical access. Badges, identification cards and other authentication methods also employ networked electronics. Even the access authorization lists administered by humans are generated using computers.
Obviously this type of equipment is vulnerable to hackers as well and one can only imagine what kind of damage a hacker could do triggering or disabling alarm systems or the ease with which they could gain physical access to key areas.
A blazing fax machine may be rather unlikely, but the fact that it could happen does serve as another reminder of the importance of converging physical and IT security practices and the disappearing line between them.