A federal audit says Lexmark printers are among the products “with known cybersecurity risks” that the Defense Department bought last year.
The audit by the Inspector General of the U.S. Department of Defense found that the Army and Air Force used government purchase cards to spend at least $32.8 million in fiscal year 2018 on “commercial off-the-shelf” information technology items that have “known cybersecurity vulnerabilities.”
“If the DoD continues to purchase and use (commercial off-the-shelf) information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with (those) items, missions critical to national security could be compromised,” the audit stated.
The audit specifically mentions Lenovo computers, Lexmark printers and GoPro cameras as items with vulnerabilities that could be exploited by U.S. adversaries.
The audit says the Army and Air Force have spent more than $30 million on 8,000 Lexmark printers.
“The National Vulnerabilities Database lists 20 cybersecurity vulnerabilities for Lexmark, including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer,” the audit states. “These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network.”
But Lexmark issued a statement Friday saying “each Lexmark hardware issue referenced in the Inspector General’s report was fixed” and denying the audit’s characterization of the company, which is based in Lexington but owned by a Chinese conglomerate.
“We are disappointed by and strongly disagree with the representation of Lexmark in the DoD Inspector General Audit,” Brad Clay, Lexmark’s senior vice president and chief information and compliance officer, said in the statement. “Lexmark is an independent U.S.-based company and has been a proud supplier to the U.S. federal government for more than 25 years.”
While the audit says a 2018 congressional report accused Lexmark of having “connections to Chinese military, nuclear and cyberespionage programs,” Clay said in his statement that “no such link is discussed or even suggested in that report.”
The April 2018 congressional report on supply chain vulnerabilities from China includes Lexmark on a list of technology companies that are “connected to entities of concern.” Lexmark was acquired in 2016 by a Chinese consortium that includes Legend Capital, which is also on the list.
Clay said in the statement that “Lexmark owners are financial investors only and have no access to the Lexmark network, no access to source code of any kind, and no access to any U.S. customer information. In fact, Lexmark is audited annually by a U.S. government-approved third party Security Monitor to ensure adherence to the controls we have in place to prevent security or supply chain vulnerabilities. We have successfully passed each audit and welcome the comparison of our security procedures and processes to any peer IT company.”
The congressional report says that researchers in 2017 “uncovered vulnerabilities in HP, Dell and Lexmark printers that allowed attackers to steal passwords, shut down printers and even reroute print jobs.”
Clay said the company “addresses reported security vulnerabilities with high urgency.”
The federal audit recommends several steps that it says the Defense Department should take.
It says the Pentagon did not have an approved products list, acquisition policies addressing the potential risks of commercial off-the-shelf information technology items or controls to prevent those items from being bought.