Open ports that direct traffic to and from machines in the office could become an attack vector, especially as more employees return to a physical office environment. If attackers can access your network through an unsecured and often forgotten port, then your sensitive data could be at risk. This article considers security risks for ports related to office machinery.
Networked devices create new risk
With many organizations implementing a return to office policy, networked devices that have been out of use in recent years will be back in action. Printer, coffee machines, device controllers, and other physical devices that are connected to your system should be accounted for in your network security plan.
A networked printer may not seem like the opportune attack vector for a cybercriminal, but the exposed service can lead to unauthorized access, privilege escalation, and sensitive data capture. For example, in a 2023 Risk and Vulnerability Assessment conducted by the Cybersecurity and Infrastructure Security Agency (CISA), a public health organization experienced simulated compromise during a penetration test wherein the security professional leveraged the networked printer to gain access and intercept user credentials.
"While logged into the printer interface as an administrator, the team 1) modified the “Save as file” configuration to use File Transfer Protocol (FTP) instead of Server Message Block (SMB) and 2) changed the Server Name and Network Path to point to a CISA-controlled machine running Responder [T1557]. Then, the team executed a “Connection Test” that sent the username and password over FTP [T1187] to the CISA machine running Responder, which captured cleartext credentials for a non-privileged domain account (ACCOUNT 2)." (CISA, Enhancing Cyber Resilience security advisory, page 5)
Physical devices that are connected to your network might include mundane options like a printer, as well as critical hardware like a controller for industrial machinery. Because these devices can have an outsized impact on your business operations and because attackers can use any weakness in your software environment, it is critical to remain vigilant with any and all physical assets. Closed ports can help prevent return to office security concerns.
Innocuous devices like coffee machines and printers often experience poor patch management if they are not regularly updated. While the smart coffee machine tucked in the corner of the breakroom may not be as strong a target as an employee's corporate laptop, any networked device remains a potential attack vector. Older devices, especially, may rely on legacy name resolution or outdated firmware that has reached its end of support.
Security teams should include these devices in any asset management program, even though they represent a smaller attack surface. Use an automated system or port scanner to identify exposed ports across your networked devices.
Risks associated with office machinery
Security risks transcend servers to include complex networking like devices that are part of your Internet of Things (IoT) and industrial machines, as well as typical networked devices like a printer or a coffee machine. With this variety of attack surface, it's important to know which machines communicate over your network so they can be secured.
UpGuard Breachsight automatically identifies a large variety of open ports, such as the following risk findings for device-specific ports:
- 'Coffee Status' port open
- 'Coffee Machine' port open
- 'DVR SerialNo' port open
- 'Gardasoft Controller' port open
- 'Omron PLC' port open
- 'OPC UA' port open
- 'Printer' port open
- 'Printer Status' port open
- 'Ubiquiti' port open
While some of these machines are more common than others, like a coffee machine or printer, others are industry-specific, like the OMRON programmatic logic controller (PLC) used for device control. If you use these or other machines with dedicated ports for service management and remote monitoring, configure the port for internal networks only. You can optionally limit access to a VPN or to authorized IP addresses only.
If your office environment includes a smart coffee machine and a networked printer, the service should be run on internal networks only. Run regular firmware and software updates to ensure that the machines do not have unpatched vulnerabilities that could be easily exploited. Similarly, an exposed DVR port might enable an attacker to access your surveillance system for reconnaissance.
The Gardasoft Controller is a piece of hardware used to control power, intensity, and timing for Gardasoft LED lights. A lighting controller provides precision control for machine vision. If an attacker gains access to the controller through an exposed port, they can compromise the system or intercept and modify transmitted data. Access should be limited to authorized IP addresses only.
The Omron PLC is a controller frequently used in industrial automation. A compromised Omron controller can disrupt operations, damage equipment, and create safety risk for workers. To protect the control logic and production data, close the port in use (TCP port [.rt-script]102[.rt-script] by default) and require VPN authentication for anyone who needs to access the controller.
The OPC UA (Open Platform Communications Unified Architecture) provides machine-to-machine communication for automation and the Internet of Things (IoT). The OPC UA uses port [.rt-script]4840[.rt-script] by default, which should be closed to the internet.
If your organization uses Ubiquiti products for managing wireless networks, implement security measures to protect the central software controller. Ubiquiti ports should be closed to the internet and require VPN authentication for a user to access or manage devices.
UpGuard is constantly adding new detection for exposed ports. Please contact our support team if you'd like to discuss a port not covered in this article. In addition to these machine ports, UpGuard identifies a variety of other services and potential risks impacting your system. For more information about risk findings, review the articles in our Risks and Vulnerabilities category.
How to secure exposed ports
Once you've identified exposed services through port scanning and network audits, you need to update your device configuration and networked device policies to account for any new risk factors.
Close unnecessary ports
The first action to protect exposed ports is to secure them by limiting traffic. Unless absolutely necessary for operational purposes, ports should not be publicly accessible. For example, a non-employee does not need to access the brew time settings on your break room's coffee machine.
Provide network segmentation
Create separation between devices and services by implementing network segmentation. With a physical segment that manages all your physical devices, you can provide distance between devices like a coffee machine and sensitive data stored virtually. Meanwhile, you can augment your virtual segmentation with stronger firewalls and access control.
Require authenticated access
Ensure that employees use a virtual private network (VPN) and multi-factor authentication (MFA) to access any sensitive data. If team members will be managing configuration settings for any physical devices, route that management and configuration process through an authentication step.
Automate software updates
Configure your physical devices to run automatic updates when available so that your resources can focus on overall security and not just manual updates. Create a maintenance plan that ensures all assets receive routine care and review, deprecating anything that reaches its end-of-life.
Scan for exposed services
Scan your network regularly and audit open ports. You can use a network scanning tool like nmap to evaluate security risks related to a specific port, or you can use an automated solution like UpGuard. Once you find the exposed service and its associated port number, you can update your firewall to limit traffic on that port.
Perform continuous monitoring with UpGuard
UpGuard BreachSight helps you understand the risks impacting your external security posture. With our user-friendly platform, you can view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents.
To learn more about your particular domain's practices in relation to these exposed port findings and other security concerns, access your Risk Profile in BreachSight to search for each finding by name. Once you have identified concerns, you can manage your remediation process within UpGuard as well. You can reach out to our support team to investigate and verify any port findings that have been identified for your assets.
If you're not a current UpGuard user and you want to review your public-facing assets for these findings and more, sign up for a trial.
