WO2022154983A1 - Authentication- based interactions with external devices - Google Patents

Authentication- based interactions with external devices Download PDF

Info

Publication number
WO2022154983A1
WO2022154983A1 PCT/US2021/071809 US2021071809W WO2022154983A1 WO 2022154983 A1 WO2022154983 A1 WO 2022154983A1 US 2021071809 W US2021071809 W US 2021071809W WO 2022154983 A1 WO2022154983 A1 WO 2022154983A1
Authority
WO
WIPO (PCT)
Prior art keywords
external device
image forming
forming apparatus
credential
port
Prior art date
Application number
PCT/US2021/071809
Other languages
French (fr)
Inventor
Kotapati VIJAY KRISHNA
Sunil M. KUMAR
Lakshmi Narasimham AKELLA
Azghar Sheik ALI
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Publication of WO2022154983A1 publication Critical patent/WO2022154983A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof

Definitions

  • the Internet of Things may refer to an interconnection of uniquely identifiable embedded devices within the Internet infrastructure.
  • An example of an loT device may be a notebook computer, tablet computer, an image forming apparatus, or the like.
  • Such loT devices may include an input/output (I/O) port to connect to an external device (e.g., a flash drive).
  • Example I/O port may be a universal serial bus (USB) port.
  • the USB port may be a plug and play interface that allows the loT device to communicate with the external device.
  • an image forming apparatus may support various external devices such as Bluetooth adaptors, wireless accessories, USB drives, human interface device (HID) devices, or the like to connect via the USB port.
  • IID human interface device
  • FIG. 1A is a block diagram of an example Internet of Things (loT) device, including a processor to enable an interaction between an external device and the loT device;
  • LoT Internet of Things
  • FIG. 1B is a block diagram of the example loT device of FIG. 1A, depicting additional features
  • FIG. 2 is a block diagram of an example image forming apparatus including non-transitory machine-readable storage medium storing instructions to restrict data transfer to or from an external device;
  • FIG. 3A is a block diagram of an example image forming apparatus, including a detection circuitry to prompt a user to input a user credential in response to a detection of an external device connected to an input/output (I/O) port;
  • FIG. 3B is a block diagram of the example image forming apparatus of FIG. 3A, depicting the detection circuitry communicatively connected to an authentication server;
  • FIG. 4 is a flowchart illustrating an example method for enabling/restricting an external device to interact with an image processing apparatus based on authentication of a user credential
  • FIG. 5 is a flowchart illustrating an example method for enabling/restricting an interaction between an image processing apparatus and an external device
  • FIG. 6 is a flowchart illustrating another example method for enabling/restricting an interaction between an image processing apparatus and an external device.
  • FIG. 7 is a flowchart illustrating yet another example method for enabling/restricting an interaction between an image processing apparatus and an external device.
  • the Internet of Things may refer to electronic devices that are able to connect to the Internet and share data with other Internet enabled devices. With information transmitted across several devices, there can be a danger of data getting intercepted and used for malicious purposes. For example, an loT device such as an image forming apparatus or a wireless router can be hacked into, thereby providing access to entire home or office network.
  • the term “loT device” may refer to any object or electronic device (e.g., an image forming apparatus, a notebook computer, a tablet computer, a wireless router, and the like) that has an addressable interface (e.g., an Internet protocol (IP) address, a Bluetooth identifier (ID), a near-field communication (NFC) ID, or the like) and can transmit information to other devices over a wired or wireless connection.
  • IP Internet protocol
  • ID Bluetooth identifier
  • NFC near-field communication
  • Such loT devices may include an input/output (I/O) port to connect to an external device (e.g., a flash drive, a mobile phone, or the like).
  • Example I/O port may be a universal serial bus (USB) port.
  • the USB port may exhibit plug and play capabilities to connect the loT device with the external device.
  • an image forming apparatus may support various external devices such as Bluetooth adaptors, wireless accessories, USB drives, human interface device (HID) devices, or the like to connect via the USB port.
  • USB Universal Serial Bus
  • the external device connected over USB can extend device capability, NFC, Bluetooth adaptors, smart card readers, and the like.
  • the USB connection might be a way to charge the external device and transport data.
  • users may plug the external devices into the USB port, however, the users may not be aware of the potential risks involved therein.
  • a device with storage, wireless, or Bluetooth capabilities may carry an infection.
  • the USB ports may be significantly prone to cyber-attacks (e.g., bad USB (i.e., an attack that exploits an inherent vulnerability in USB firmware), deploying malwares, stealing sensitive data, and the like) on the loT devices.
  • the USB connection may be a conduit for transferring malware onto a network associated with the loT device and for stealing data.
  • trusting/remembering the external device, the USB connection, or the user over a period may put the security at risk in the network.
  • Examples described herein may provide an Internet-of-Things (loT) device including an I/O port and a processor.
  • the processor may detect an external device connected to the I/O port. Further, the processor may prompt the user to input a device credential associated with the loT device in response to the detection that the external device connected to the I/O port.
  • the processor may enable an interaction between the external device and the loT device upon an authentication of the inputted device credential. In another example, the processor may restrict the interaction between the external device and the loT device in response to an unsuccessful authentication of the inputted device credential.
  • examples described herein may significantly reduce the USB attacks on the loT device as the loT device prompts (e.g., on a graphical user interface of the loT device, an loT supported mobile application, or the like) the user to enter the device credential upon detecting the external device plugged into the I/O port and provide access to the external device based on authentication of the device credential.
  • the loT device prompts e.g., on a graphical user interface of the loT device, an loT supported mobile application, or the like
  • FIG. 1A is a block diagram of an example loT device 100, including a processor 104 to enable an interaction between an external device 106 and loT device 100.
  • Example loT device 100 may operate through the Internet, enabling a transfer of data to other electronic devices over a wired or wireless connection.
  • loT device 100 may be an image forming apparatus, a wireless router, a notebook computer, tablet computer, or the like.
  • Example external device 106 may be a peripheral device that plugs into loT device 100 via an input/output (I/O) port 102.
  • I/O port 102 may serves as an interface between loT device 100 and external device 106.
  • I/O port 102 may be a universal serial bus (USB) port.
  • Example external device 106 may be a Bluetooth adaptor, a wireless accessory, a USB drive, a human interface device (HID) device, or the like.
  • IID human interface device
  • loT device 100 may include I/O port 102 and processor 104.
  • Processor 104 may be a type of central processing unit (CPU), microprocessor, or processing logic that interprets and executes machine-readable instructions stored in machine-readable storage medium in loT device 100.
  • processor 104 may provide a setting to configure loT device 100 with a device credential.
  • the device credential may prevent unauthorized access to I/O port 102.
  • processor 104 may receive an input to configure the setting.
  • processor 104 may register the received input as the device credential.
  • the device credential may be a password, fingerprint, radio frequency identifier, written signature, voice signature, cryptographic key, retina, facial features, physical key, and/or the like.
  • processor 104 may configure the device credential as part of a registration process or out-of-box-experience (OOBE) process performed on loT device 100.
  • the OOBE process may include a series of screens (e.g., on a graphical user interface associated with loT device 100, an loT supported mobile application, or the like) that require a user to accept a license agreement, log in with, or sign up for an account to prepare loT device 100 to first use.
  • the OOBE process may be defined by a device vendor to setup loT device 100 and may include an option to setup the device credential.
  • the user may set the device credentials during the OOBE process.
  • the user may setup the device credentials after the OOBE process is completed.
  • processor 104 may detect external device 106 connected to I/O port 102. For example, processor 104 may detect that external device 106 is connected to I/O port 102 when external device 106 is plugged into I/O port 102. Further, processor 104 may provide a prompt to enter the device credential associated with loT device 100 in response to the detection of external device 106 connected to I/O port 102. Furthermore, processor 104 may enable an interaction between external device 106 and loT device 100 upon an authentication (e.g., a successful authentication) of the entered device credential. In another example, processor 104 may restrict the interaction between external device 106 and loT device 100 in response to an unsuccessful authentication of the entered device credential.
  • processor 104 may detect external device 106 connected to I/O port 102. For example, processor 104 may detect that external device 106 is connected to I/O port 102 when external device 106 is plugged into I/O port 102. Further, processor 104 may provide a prompt to enter the device credential associated with loT device 100 in response to
  • FIG. 1B is a block diagram of example loT device 100 of FIG. 1A, depicting additional features.
  • loT device 100 may include a graphical user interface 150, an input unit 152, and a memory 154.
  • Example graphical user interface 150 may be a visual way of interacting with loT device 100 using items such as icons, menus, and the like.
  • processor 104 may display the setting to configure loT device 100 with the device credential using graphical user interface 150.
  • the device credential may be stored in memory 154 as stored credential 156.
  • processor 104 may provide the prompt on graphical user interface 150 to enter the device credential in response to the detection of external device 106 connected to I/O port 102.
  • processor 104 may provide the prompt on an loT supported mobile application.
  • the user may input the device credential via input unit 152 or through the mobile application.
  • Example input unit 152 may be an alpha-numeric keypad, a biometric device such as a fingerprint sensor detecting a fingerprint, a retina sensor detecting a retina, or the loT supported mobile application which may also be used to receive the input.
  • processor 104 may enable external device 106 to access loT device 100 or vice versa upon the authentication of the device credentials.
  • processors may be provided using dedicated hardware as well as hardware capable of executing programs.
  • the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared.
  • explicit use of the term “processor” may not be construed to refer exclusively to hardware capable of executing programs, and may implicitly include, without limitation, digital signal processor (DSP) hardware, network processor, application specific integrated circuit (ASIC), field programmable gate array (FPGA), or the like. In some examples, other custom- built hardware may also be included.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • FIG. 2 is a block diagram of an example image forming apparatus 200 including non-transitory machine-readable storage medium 204 storing instructions to restrict data transfer to or from an external device.
  • Image forming apparatus 200 may include a processor 202 and machine-readable storage medium 204 communicatively coupled through a system bus.
  • Processor 202 may be any type of central processing unit (CPU), microprocessor, or processing logic that interprets and executes machine-readable instructions stored in machine- readable storage medium 204.
  • Machine-readable storage medium 204 may be a random-access memory (RAM) or another type of dynamic storage device that may store information and machine-readable instructions that may be executed by processor 202.
  • machine-readable storage medium 204 may be synchronous DRAM (SDRAM), double data rate (DDR), rambus DRAM (RDRAM), rambus RAM, etc., or storage memory media such as a floppy disk, a hard disk, a CD-ROM, a DVD, a pen drive, and the like.
  • machine-readable storage medium 204 may be non-transitory machine-readable medium.
  • Machine-readable storage medium 804 may be remote but accessible to image forming apparatus 200.
  • image forming apparatus may refer to a device that may encompass any apparatus that accepts a job-request and performs at least one of the following functions or tasks: print, scan, and/or fax.
  • Image forming apparatus 200 may be a single function peripheral (SFP) or a multifunction peripheral (MFP).
  • Example image forming apparatus 200 can be a laser beam printer (e.g., using an electrophotographic method for printing), an ink jet printer (e.g., using an ink jet method for printing), or the like.
  • machine-readable storage medium 204 may store instructions 206-212.
  • instructions 206-212 may be executed by processor 202 to restrict data transfer to or from an external device.
  • machine-readable storage medium 204 may store instructions to enable a user to configure image forming apparatus 200 with the user credential to access an input/output (I/O) port.
  • the instructions may enable to set the user credential for image forming apparatus 200 using a configuration setting of image forming apparatus 200.
  • the instructions may associate the user credential to a user account.
  • the instructions may store the user credential in a memory of image forming apparatus 200 or an external storage connected to image forming apparatus 200.
  • instructions 206 may be executed by processor 202 to detect an external device connected to the I/O port of image forming apparatus 200.
  • Instructions 208 may be executed by processor 202 to display a prompt to input a user credential associated with image forming apparatus 200 in response to the detection that the external device connected to the I/O port.
  • Instructions 210 may be executed by processor 202 to authenticate the inputted user credential.
  • instructions 210 to authenticate the inputted user credential may include instructions to: - retrieve the stored user credential from the memory or the external storage, and
  • Instructions 212 may be executed by processor 202 to restrict data transfer to or from the external device in response to an unsuccessful authentication of the inputted user credential.
  • machine-readable storage medium 204 may store instructions to generate an alert to notify a failed event to access the I/O port upon restricting the data transfer to or from the external device.
  • the generated alert may be sent to an administrator through an email, a voice call, an instant message, an audio/visual indication on a user interface, or the like.
  • machine-readable storage medium 204 may store instructions to record the failed event in a firmware log upon restricting the data transfer to or from the external device. The recorded failed events may be used to track the security attacks via the I/O port.
  • FIG. 3A is a block diagram of an example image forming apparatus 300, including a detection circuitry 308 to prompt a user to input a user credential in response to a detection of an external device 316 connected to an I/O port 302.
  • image forming apparatus 300 may include a memory 312.
  • Example memory 312 may include a stored credential 314 as set by a user to prevent unauthorized access to I/O port 302.
  • the user may set a credential (e.g., a password, pass phrase, certificate, personal identification number (PIN), or the like) using an OOBE process.
  • the user may set the credential using configuration settings of image forming apparatus 300.
  • image forming apparatus 300 may store credential 314 in memory 312.
  • example described herein would leverage image forming apparatus 300 authentication feature.
  • image forming apparatus 300 may include detection circuitry 308 to detect external device 316 connected to I/O port 302. Upon detecting external device 316, detection circuitry 308 may display a prompt (e.g., on a graphical user interface 304, an loT supported mobile application, or the like) to input a user credential associated with image forming apparatus 300. Further, the user may input the user credential via an input unit 306 (e.g., a control panel, a biometric device, or the like).
  • an input unit 306 e.g., a control panel, a biometric device, or the like.
  • image forming apparatus 300 may include an authentication circuitry 310 to authenticate the inputted user credential.
  • authentication circuitry 310 may authenticate the inputted user credential by comparing the inputted user credential with stored credential 314.
  • image forming apparatus 300 may allow the data transfer to or from external device 316 in response to a successful authentication of the inputted user credential.
  • image forming apparatus 300 may restrict the data transfer to or from the external device in response to an unsuccessful authentication of the inputted user credential.
  • examples described in FIG. 3A may provide an authentication process as part of image forming apparatus 300 to authenticate the user credential.
  • the authentication process can also be performed using an authentication server connected to image forming apparatus 300 as shown in FIG. 3B.
  • FIG. 3B is a block diagram of example image forming apparatus 300 of FIG. 3A, depicting detection circuitry 308 communicatively connected to an authentication server 350.
  • similarly named elements of FIG. 1B may be similar in structure and/or function to elements described with respect to FIG. 3A.
  • image forming apparatus 300 may be externally connected to authentication server 350.
  • authentication circuitry 310 and memory 312 may be implemented as part of authentication server 350.
  • detection circuitry 308 may display a prompt on graphical user interface 304 to input a user credential associated with image forming apparatus 300 in response to detecting external device 316 connected to I/O port 302.
  • image forming apparatus 300 may forward the inputted user credential to authentication server 350.
  • authentication circuitry 308 residing in authentication server 350 may authenticate the inputted user credential by comparing the inputted user credential with stored credential 314.
  • the functionalities described herein, in relation to instructions to implement functions of detection circuitry 308, authentication circuitry 310, and any additional instructions described herein in relation to the storage medium may be implemented as engines or modules including any combination of hardware and programming to implement the functionalities of the modules or engines described herein.
  • the functions of detection circuitry 308 and authentication circuitry 310 may also be implemented by a processor.
  • processor may include, for example, one processor or multiple processors included in a single device or distributed across multiple devices.
  • FIG. 4 is a flowchart illustrating an example method 400 for enabling/restricting an external device to interact with an image processing apparatus based on an authentication of a user credential.
  • Example image forming apparatus may be a single function peripheral (SFP) or a multi-function peripheral (MFP).
  • Example external device may be a Bluetooth adaptor to connect a Bluetooth peripheral device with the image forming apparatus. In other examples, external device may also include a flash drive, a mobile device, or the like.
  • the image forming apparatus may be configured with a user credential to access an I/O port of the image processing apparatus.
  • the user credential may be associated to a user profile.
  • the user credential can be set by an administrator and then the user credential may be associated to respective user profile.
  • the user credential may be same or different for each user in the enterprise.
  • Example SMB scenario is described in FIG. 6.
  • the user credential can be set by each employee as per an enterprise security policy after the administrator deploys the image forming apparatus.
  • the user credential may be stored in a centralized database.
  • Example enterprise scenario is described in FIG. 7.
  • an external device may be detected as being plugged into the I/O port.
  • a prompt to input the user credential associated with the user profile may be displayed in response to detecting the external device plugged into the I/O port.
  • the inputted user credential may be authenticated.
  • a check may be made to determine whether the inputted user credential is successfully authenticated.
  • the external device may be enabled to interact with the image processing apparatus, at 414.
  • enabling the external device to interact with the image processing apparatus may include enabling the image processing apparatus to access the external device to perform a function associated with the image forming apparatus.
  • the function may include printing a document from the external device, scanning a document to the external device, storing a received fax in the external device, transmitting a stored document in the external device in accordance with a user-selectable operation of the image forming apparatus, or the like.
  • the external device may be restricted to interact with the image processing apparatus, at 416. Further, an event associated with the successful authentication or the unsuccessful authentication may be recorded and maintained in a firmware log associated with the image forming apparatus. Thus, the user or an enterprise may be able to monitor user actions via the firmware logs to trace security attacks.
  • FIG. 5 is a flowchart illustrating an example method 500 for enabling/restricting an interaction between an image processing apparatus and an external device.
  • the image processing apparatus may be considered to be procured by a user in a home scenario.
  • a device credential associated with the image forming apparatus be configured while setting up the image forming apparatus.
  • the user may follow an out-of-box experience (OOBE) procedure to setup the image forming apparatus.
  • the user may set the device credentials during the OOBE process.
  • the user may setup the device credentials after the OOBE process is completed.
  • the device credential may be stored in an internal memory of the image forming apparatus.
  • an external device may be detected as being plugged into an I/O port of the image forming apparatus.
  • the user may connect the external device such as a USB device for a scan workflow, USB printing, fax workflow, a stored job workflow, USB based Bluetooth adaptor, or the like.
  • a prompt to input the device credential may be displayed in response to detecting the external device plugged into the I/O port.
  • the prompt may be displayed on a user interface of the image forming apparatus.
  • a check may be made to determine whether the inputted device credential is successfully authenticated.
  • an authentication service may be invoked to authenticate the inputted device credential.
  • the authentication service may compare the inputted device credential and the stored device credential to authenticate the inputted device credential.
  • the external device may be enabled to interact with the image processing apparatus, at 510. Further, an event associated with the successful authentication may be recorded in a firmware log associated with the image forming apparatus, at 512.
  • the external device may be restricted to interact with the image processing apparatus, at 514.
  • an alert may be generated to notify a failed event to access the I/O port.
  • the generated alert (e.g., to indicate a suspicious activity) may be communicated to the owner/user via a notification on a mobile application, displayed on a control panel of the image forming apparatus, or sent to a registered email of the user.
  • an event associated with the unsuccessful authentication may be recorded in the firmware log associated with the image forming apparatus, at 512.
  • connection information associated with the external device with the image forming apparatus may be removed or erased. For example, when the user unplugs the external device from the image forming apparatus, the image forming apparatus may forget the connection. Further, when the user again connects the external device to the image forming apparatus, the image forming apparatus instead of remembering the external device or connection, the image forming apparatus may prompt to input the device credential. For example, when a hacker or unknown user connects any external device, the image forming apparatus may prompt to input the device credential. Thus, the image forming apparatus may restrict access to the I/O port.
  • FIG. 6 is a flowchart illustrating another example method 600 for enabling/restricting an interaction between an image processing apparatus and an external device.
  • the image processing apparatus may be considered to be procured by a small and medium-sized business (SMB).
  • SMB small and medium-sized business
  • a user credential for the image forming apparatus may be set using a configuration setting of the image forming apparatus.
  • an administrator associated with the SMB may follow an out-of-box experience (OOBE) procedure to setup the image forming apparatus and setup the user credential during the OOBE procedure.
  • the administrator may setup the user credential after the OOBE process is completed.
  • OOBE out-of-box experience
  • the user credential may be associated to a user account.
  • the administrator may setup different user profiles for the employees. Further, the administrator may assign the user credential to the user profiles. In an example, the user credential may be same or different to each of the employees.
  • an external device may be detected as being plugged into an I/O port of the image forming apparatus. For example, an employee may connect the external device to the image forming apparatus via the I/O port for a scan workflow, USB printing, fax workflow, a stored job workflow, a Bluetooth adaptor, or the like.
  • a prompt to input the user credential may be displayed.
  • a check may be made to determine whether the inputted user credential is successfully authenticated.
  • the external device may be enabled to interact with the image processing apparatus, at 612. Further, an event associated with the successful authentication may be recorded in a firmware log associated with the image forming apparatus, at 614.
  • the external device may be restricted to interact with the image processing apparatus, at 616.
  • an alert may be generated to notify a failed event to access the I/O port.
  • the generated alert e.g., to indicate a suspicious activity
  • the alert may be communicated to the administrator via a notification on a mobile application, the alert may be sent to a registered email of the administrator, or the like.
  • an event associated with the unsuccessful authentication may be recorded in the firmware log associated with the image forming apparatus, at 614.
  • a detection that the external device is unplugged from the I/O port may be made by the image forming apparatus.
  • connection information associated with the external device may be removed or erased from the image forming apparatus.
  • examples described herein may include a zero-trust approach as the image forming apparatus may forget the connection in response to the detection that the external device is unplugged from the image forming apparatus.
  • the image forming apparatus may follow the authentication process again to allow/restrict the interaction of the external device with the image forming apparatus.
  • FIG. 7 is a flowchart illustrating yet another example method 700 for enabling/restricting an interaction between an image processing apparatus and an external device.
  • a user credential may be set as part of an enterprise password policy for an image forming apparatus. For example, when an enterprise procures the image forming apparatus, an administrator may follow an OOBE process to the setup the image forming apparatus. The administrator may set up the image forming apparatus in an enterprise network and enroll the image forming apparatus to an authentication service such as Windows, lightweight directory access protocol (LDAP) based authentication, or any other centrally managed authentication service. Further, an employee may be allowed to setup the user credential as part of the enterprise password policy.
  • the user credential may be stored against corresponding user account in the authentication service, for instance.
  • an external device may be detected as being plugged into an I/O port of the image forming apparatus.
  • an employee may connect the external device to the image forming apparatus via the I/O port for a scan workflow, USB printing, fax workflow, a stored job workflow, a Bluetooth adaptor, third-party wireless accessory, card reader, or the like.
  • a prompt to input the user credential may be displayed.
  • the user credential may be authenticated using the authentication service.
  • the image forming apparatus may send the inputted user credential to the authentication service for authentication.
  • a check may be made to determine whether the inputted user credential is successfully authenticated.
  • the external device may be enabled to interact with the image processing apparatus, at 714. Further, an event associated with the successful authentication may be recorded in a firmware log associated with the image forming apparatus, at 716.
  • the external device may be restricted to interact with the image processing apparatus, at 718.
  • an alert may be generated to notify a failed event to access the I/O port.
  • the generated alert e.g., to indicate a suspicious activity
  • SEIM security information and event management
  • an event associated with the unsuccessful authentication may be recorded in the firmware log associated with the image forming apparatus, at 716.
  • a detection that the external device is unplugged from the I/O port may be made by the image forming apparatus.
  • connection information associated with the external device may be removed or erased from the image forming apparatus.
  • the image forming apparatus may forget the connection.
  • the image forming apparatus may be secured from unwanted access via the I/O port from inside and/or outside threats (e.g., sensitive information disclosure, malware attack, denial of service attack, and the like).
  • method 400, 500, 600, or 700 depicted in FIGs. 4, 5, 6, or 7 represents generalized illustrations, and that other processes may be added, or existing processes may be removed, modified, or rearranged without departing from the scope and spirit of the present application.
  • the processes may represent instructions stored on a computer-readable storage medium that, when executed, may cause a processor to respond, to perform actions, to change states, and/or to make decisions.
  • the processes of method 400, 500, 600, or 700 may represent functions and/or actions performed by functionally equivalent circuits like analog circuits, digital signal processing circuits, application specific integrated circuits (ASICs), or other hardware components associated with the system.
  • ASICs application specific integrated circuits
  • example method 400, 500, 600, or 700 may not be intended to limit the implementation of the present application, but rather example method 400, 500, 600, or 700 illustrates functional information to design/fabricate circuits, generate machine-readable instructions, or use a combination of hardware and machine-readable instructions to perform the illustrated processes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Accessory Devices And Overall Control Thereof (AREA)

Abstract

An Internet-of-Things (IoT) device may include an input/output (I/O) port and a processor. The processor may detect an external device connected to the I/O port. Further, the processor may provide a prompt to enter a device credential associated with the IoT device in response to the detection of the external device connected to the I/O port. Furthermore, the processor may enable an interaction between the external device and the IoT device upon an authentication of the entered device credential. In an example, the processor may restrict the interaction between the external device and the IoT device in response to an unsuccessful authentication of the entered device credential.

Description

AUTHENTICATION- BASED INTERACTIONS WITH EXTERNAL DEVICES
BACKGROUND
[0001] The Internet of Things (loT) may refer to an interconnection of uniquely identifiable embedded devices within the Internet infrastructure. An example of an loT device may be a notebook computer, tablet computer, an image forming apparatus, or the like. Such loT devices may include an input/output (I/O) port to connect to an external device (e.g., a flash drive). Example I/O port may be a universal serial bus (USB) port. The USB port may be a plug and play interface that allows the loT device to communicate with the external device. For example, an image forming apparatus may support various external devices such as Bluetooth adaptors, wireless accessories, USB drives, human interface device (HID) devices, or the like to connect via the USB port.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] Examples are described in the following detailed description and in reference to the drawings, in which:
[0003] FIG. 1A is a block diagram of an example Internet of Things (loT) device, including a processor to enable an interaction between an external device and the loT device;
[0004] FIG. 1B is a block diagram of the example loT device of FIG. 1A, depicting additional features;
[0005] FIG. 2 is a block diagram of an example image forming apparatus including non-transitory machine-readable storage medium storing instructions to restrict data transfer to or from an external device;
[0006] FIG. 3A is a block diagram of an example image forming apparatus, including a detection circuitry to prompt a user to input a user credential in response to a detection of an external device connected to an input/output (I/O) port; [0007] FIG. 3B is a block diagram of the example image forming apparatus of FIG. 3A, depicting the detection circuitry communicatively connected to an authentication server;
[0008] FIG. 4 is a flowchart illustrating an example method for enabling/restricting an external device to interact with an image processing apparatus based on authentication of a user credential;
[0009] FIG. 5 is a flowchart illustrating an example method for enabling/restricting an interaction between an image processing apparatus and an external device;
[0010] FIG. 6 is a flowchart illustrating another example method for enabling/restricting an interaction between an image processing apparatus and an external device; and
[0011] FIG. 7 is a flowchart illustrating yet another example method for enabling/restricting an interaction between an image processing apparatus and an external device.
DETAILED DESCRIPTION
[0012] The Internet of Things (loT) may refer to electronic devices that are able to connect to the Internet and share data with other Internet enabled devices. With information transmitted across several devices, there can be a danger of data getting intercepted and used for malicious purposes. For example, an loT device such as an image forming apparatus or a wireless router can be hacked into, thereby providing access to entire home or office network. The term “loT device” may refer to any object or electronic device (e.g., an image forming apparatus, a notebook computer, a tablet computer, a wireless router, and the like) that has an addressable interface (e.g., an Internet protocol (IP) address, a Bluetooth identifier (ID), a near-field communication (NFC) ID, or the like) and can transmit information to other devices over a wired or wireless connection.
[0013] Such loT devices may include an input/output (I/O) port to connect to an external device (e.g., a flash drive, a mobile phone, or the like). Example I/O port may be a universal serial bus (USB) port. The USB port may exhibit plug and play capabilities to connect the loT device with the external device. For example, an image forming apparatus may support various external devices such as Bluetooth adaptors, wireless accessories, USB drives, human interface device (HID) devices, or the like to connect via the USB port.
[0014] To increase the connectivity and the data storage experience, multiple external devices may have to be supported over the USB. For example, the external device connected over USB can extend device capability, NFC, Bluetooth adaptors, smart card readers, and the like. Also, the USB connection might be a way to charge the external device and transport data. In this regard, users may plug the external devices into the USB port, however, the users may not be aware of the potential risks involved therein. For example, a device with storage, wireless, or Bluetooth capabilities may carry an infection. Further, the USB ports may be significantly prone to cyber-attacks (e.g., bad USB (i.e., an attack that exploits an inherent vulnerability in USB firmware), deploying malwares, stealing sensitive data, and the like) on the loT devices. Hence, the USB connection may be a conduit for transferring malware onto a network associated with the loT device and for stealing data. In addition, trusting/remembering the external device, the USB connection, or the user over a period may put the security at risk in the network.
[0015] Thus, malicious USB connection or an external device may lead to:
- Attacker levering the USB port as a power source for USB enabled hardware which can launch the attack or gather information.
- Compromise on the security of the enterprise or home network infrastructure through malware, spyware, botnet based cyber-attacks, and the like.
- Unavailability of the loT device due to cyber-attacks. - Significantly bad user experience due to non-availability of the loT device due to cyber-attacks.
[0016] Examples described herein may provide an Internet-of-Things (loT) device including an I/O port and a processor. During operation, the processor may detect an external device connected to the I/O port. Further, the processor may prompt the user to input a device credential associated with the loT device in response to the detection that the external device connected to the I/O port. The processor may enable an interaction between the external device and the loT device upon an authentication of the inputted device credential. In another example, the processor may restrict the interaction between the external device and the loT device in response to an unsuccessful authentication of the inputted device credential. Thus, examples described herein may significantly reduce the USB attacks on the loT device as the loT device prompts (e.g., on a graphical user interface of the loT device, an loT supported mobile application, or the like) the user to enter the device credential upon detecting the external device plugged into the I/O port and provide access to the external device based on authentication of the device credential.
[0017] In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present techniques. However, the example apparatuses, devices, and systems, may be practiced without these specific details. Reference in the specification to “an example” or similar language means that a particular feature, structure, or characteristic described may be included in at least that one example but may not be in other examples.
[0018] Turning now to the figures, FIG. 1A is a block diagram of an example loT device 100, including a processor 104 to enable an interaction between an external device 106 and loT device 100. Example loT device 100 may operate through the Internet, enabling a transfer of data to other electronic devices over a wired or wireless connection. For example, loT device 100 may be an image forming apparatus, a wireless router, a notebook computer, tablet computer, or the like. Example external device 106 may be a peripheral device that plugs into loT device 100 via an input/output (I/O) port 102. I/O port 102 may serves as an interface between loT device 100 and external device 106. For example, I/O port 102 may be a universal serial bus (USB) port. Example external device 106 may be a Bluetooth adaptor, a wireless accessory, a USB drive, a human interface device (HID) device, or the like.
[0019] As shown in FIG. 1A, loT device 100 may include I/O port 102 and processor 104. Processor 104 may be a type of central processing unit (CPU), microprocessor, or processing logic that interprets and executes machine-readable instructions stored in machine-readable storage medium in loT device 100. In an example, processor 104 may provide a setting to configure loT device 100 with a device credential. The device credential may prevent unauthorized access to I/O port 102. Further, processor 104 may receive an input to configure the setting. Furthermore, processor 104 may register the received input as the device credential. In an example, the device credential may be a password, fingerprint, radio frequency identifier, written signature, voice signature, cryptographic key, retina, facial features, physical key, and/or the like.
[0020] In an example, processor 104 may configure the device credential as part of a registration process or out-of-box-experience (OOBE) process performed on loT device 100. For example, the OOBE process may include a series of screens (e.g., on a graphical user interface associated with loT device 100, an loT supported mobile application, or the like) that require a user to accept a license agreement, log in with, or sign up for an account to prepare loT device 100 to first use. The OOBE process may be defined by a device vendor to setup loT device 100 and may include an option to setup the device credential. In an example, the user may set the device credentials during the OOBE process. In another example, the user may setup the device credentials after the OOBE process is completed. [0021] During operation, processor 104 may detect external device 106 connected to I/O port 102. For example, processor 104 may detect that external device 106 is connected to I/O port 102 when external device 106 is plugged into I/O port 102. Further, processor 104 may provide a prompt to enter the device credential associated with loT device 100 in response to the detection of external device 106 connected to I/O port 102. Furthermore, processor 104 may enable an interaction between external device 106 and loT device 100 upon an authentication (e.g., a successful authentication) of the entered device credential. In another example, processor 104 may restrict the interaction between external device 106 and loT device 100 in response to an unsuccessful authentication of the entered device credential.
[0022] FIG. 1B is a block diagram of example loT device 100 of FIG. 1A, depicting additional features. For example, similarly named elements of FIG. 1 B may be similar in structure and/or function to elements described with respect to FIG. 1A. As shown in FIG. 1B, loT device 100 may include a graphical user interface 150, an input unit 152, and a memory 154. Example graphical user interface 150 may be a visual way of interacting with loT device 100 using items such as icons, menus, and the like. In an example, processor 104 may display the setting to configure loT device 100 with the device credential using graphical user interface 150. Further, the device credential may be stored in memory 154 as stored credential 156.
[0023] During operation, processor 104 may provide the prompt on graphical user interface 150 to enter the device credential in response to the detection of external device 106 connected to I/O port 102. In another example, processor 104 may provide the prompt on an loT supported mobile application. Further, the user may input the device credential via input unit 152 or through the mobile application. Example input unit 152 may be an alpha-numeric keypad, a biometric device such as a fingerprint sensor detecting a fingerprint, a retina sensor detecting a retina, or the loT supported mobile application which may also be used to receive the input. Further, processor 104 may enable external device 106 to access loT device 100 or vice versa upon the authentication of the device credentials.
[0024] The functions of the various elements shown in FIGs. 1A and 1B, including any functional blocks labeled as “processor(s)”, may be provided using dedicated hardware as well as hardware capable of executing programs. When provided by a processor, the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared. Further, explicit use of the term “processor” may not be construed to refer exclusively to hardware capable of executing programs, and may implicitly include, without limitation, digital signal processor (DSP) hardware, network processor, application specific integrated circuit (ASIC), field programmable gate array (FPGA), or the like. In some examples, other custom- built hardware may also be included.
[0025] FIG. 2 is a block diagram of an example image forming apparatus 200 including non-transitory machine-readable storage medium 204 storing instructions to restrict data transfer to or from an external device. Image forming apparatus 200 may include a processor 202 and machine-readable storage medium 204 communicatively coupled through a system bus. Processor 202 may be any type of central processing unit (CPU), microprocessor, or processing logic that interprets and executes machine-readable instructions stored in machine- readable storage medium 204.
[0026] Machine-readable storage medium 204 may be a random-access memory (RAM) or another type of dynamic storage device that may store information and machine-readable instructions that may be executed by processor 202. For example, machine-readable storage medium 204 may be synchronous DRAM (SDRAM), double data rate (DDR), rambus DRAM (RDRAM), rambus RAM, etc., or storage memory media such as a floppy disk, a hard disk, a CD-ROM, a DVD, a pen drive, and the like. In an example, machine-readable storage medium 204 may be non-transitory machine-readable medium. Machine-readable storage medium 804 may be remote but accessible to image forming apparatus 200.
[0027] As used herein, the term “image forming apparatus” may refer to a device that may encompass any apparatus that accepts a job-request and performs at least one of the following functions or tasks: print, scan, and/or fax. Image forming apparatus 200 may be a single function peripheral (SFP) or a multifunction peripheral (MFP). Example image forming apparatus 200 can be a laser beam printer (e.g., using an electrophotographic method for printing), an ink jet printer (e.g., using an ink jet method for printing), or the like.
[0028] As shown in FIG. 2, machine-readable storage medium 204 may store instructions 206-212. In an example, instructions 206-212 may be executed by processor 202 to restrict data transfer to or from an external device. In some examples, machine-readable storage medium 204 may store instructions to enable a user to configure image forming apparatus 200 with the user credential to access an input/output (I/O) port. In this example, the instructions may enable to set the user credential for image forming apparatus 200 using a configuration setting of image forming apparatus 200. Further, the instructions may associate the user credential to a user account. Furthermore, the instructions may store the user credential in a memory of image forming apparatus 200 or an external storage connected to image forming apparatus 200.
[0029] During operation, instructions 206 may be executed by processor 202 to detect an external device connected to the I/O port of image forming apparatus 200. Instructions 208 may be executed by processor 202 to display a prompt to input a user credential associated with image forming apparatus 200 in response to the detection that the external device connected to the I/O port.
[0030] Instructions 210 may be executed by processor 202 to authenticate the inputted user credential. In an example, instructions 210 to authenticate the inputted user credential may include instructions to: - retrieve the stored user credential from the memory or the external storage, and
- authenticate the inputted user credential by comparing the stored user credential with the inputted user credential.
[0031] Instructions 212 may be executed by processor 202 to restrict data transfer to or from the external device in response to an unsuccessful authentication of the inputted user credential. Further, machine-readable storage medium 204 may store instructions to generate an alert to notify a failed event to access the I/O port upon restricting the data transfer to or from the external device. In an example, the generated alert may be sent to an administrator through an email, a voice call, an instant message, an audio/visual indication on a user interface, or the like. Furthermore, machine-readable storage medium 204 may store instructions to record the failed event in a firmware log upon restricting the data transfer to or from the external device. The recorded failed events may be used to track the security attacks via the I/O port.
[0032] FIG. 3A is a block diagram of an example image forming apparatus 300, including a detection circuitry 308 to prompt a user to input a user credential in response to a detection of an external device 316 connected to an I/O port 302. In the example shown in FIG. 3A, image forming apparatus 300 may include a memory 312. Example memory 312 may include a stored credential 314 as set by a user to prevent unauthorized access to I/O port 302. For example, the user may set a credential (e.g., a password, pass phrase, certificate, personal identification number (PIN), or the like) using an OOBE process. In another example, the user may set the credential using configuration settings of image forming apparatus 300. Further, image forming apparatus 300 may store credential 314 in memory 312. Thus, example described herein would leverage image forming apparatus 300 authentication feature.
[0033] Further, image forming apparatus 300 may include detection circuitry 308 to detect external device 316 connected to I/O port 302. Upon detecting external device 316, detection circuitry 308 may display a prompt (e.g., on a graphical user interface 304, an loT supported mobile application, or the like) to input a user credential associated with image forming apparatus 300. Further, the user may input the user credential via an input unit 306 (e.g., a control panel, a biometric device, or the like).
[0034] Furthermore, image forming apparatus 300 may include an authentication circuitry 310 to authenticate the inputted user credential. In an example, authentication circuitry 310 may authenticate the inputted user credential by comparing the inputted user credential with stored credential 314. In one example, image forming apparatus 300 may allow the data transfer to or from external device 316 in response to a successful authentication of the inputted user credential. In another example, image forming apparatus 300 may restrict the data transfer to or from the external device in response to an unsuccessful authentication of the inputted user credential. Thus, examples described in FIG. 3A may provide an authentication process as part of image forming apparatus 300 to authenticate the user credential. In other examples, the authentication process can also be performed using an authentication server connected to image forming apparatus 300 as shown in FIG. 3B.
[0035] FIG. 3B is a block diagram of example image forming apparatus 300 of FIG. 3A, depicting detection circuitry 308 communicatively connected to an authentication server 350. For example, similarly named elements of FIG. 1B may be similar in structure and/or function to elements described with respect to FIG. 3A. As shown in FIG. 3B, image forming apparatus 300 may be externally connected to authentication server 350. In an example, authentication circuitry 310 and memory 312 may be implemented as part of authentication server 350.
[0036] During operation, detection circuitry 308 may display a prompt on graphical user interface 304 to input a user credential associated with image forming apparatus 300 in response to detecting external device 316 connected to I/O port 302. Upon receiving the inputted user credential, image forming apparatus 300 may forward the inputted user credential to authentication server 350. Further, authentication circuitry 308 residing in authentication server 350 may authenticate the inputted user credential by comparing the inputted user credential with stored credential 314.
[0037] In some examples, the functionalities described herein, in relation to instructions to implement functions of detection circuitry 308, authentication circuitry 310, and any additional instructions described herein in relation to the storage medium, may be implemented as engines or modules including any combination of hardware and programming to implement the functionalities of the modules or engines described herein. The functions of detection circuitry 308 and authentication circuitry 310 may also be implemented by a processor. In examples described herein, processor may include, for example, one processor or multiple processors included in a single device or distributed across multiple devices.
[0038] FIG. 4 is a flowchart illustrating an example method 400 for enabling/restricting an external device to interact with an image processing apparatus based on an authentication of a user credential. Example image forming apparatus may be a single function peripheral (SFP) or a multi-function peripheral (MFP). Example external device may be a Bluetooth adaptor to connect a Bluetooth peripheral device with the image forming apparatus. In other examples, external device may also include a flash drive, a mobile device, or the like.
[0039] At 402, the image forming apparatus may be configured with a user credential to access an I/O port of the image processing apparatus. At 404, the user credential may be associated to a user profile. For example, in an enterprise scenario such as a small and medium-sized business (SMB) scenario, the user credential can be set by an administrator and then the user credential may be associated to respective user profile. In an example, the user credential may be same or different for each user in the enterprise. Example SMB scenario is described in FIG. 6. In another example scenarios, the user credential can be set by each employee as per an enterprise security policy after the administrator deploys the image forming apparatus. Further, the user credential may be stored in a centralized database. Example enterprise scenario is described in FIG. 7.
[0040] At 406, an external device may be detected as being plugged into the I/O port. At 408, a prompt to input the user credential associated with the user profile may be displayed in response to detecting the external device plugged into the I/O port. At 410, the inputted user credential may be authenticated.
[0041] At 412, a check may be made to determine whether the inputted user credential is successfully authenticated. When the inputted user credential is successfully authenticated, the external device may be enabled to interact with the image processing apparatus, at 414. In an example, enabling the external device to interact with the image processing apparatus may include enabling the image processing apparatus to access the external device to perform a function associated with the image forming apparatus. For example, the function may include printing a document from the external device, scanning a document to the external device, storing a received fax in the external device, transmitting a stored document in the external device in accordance with a user-selectable operation of the image forming apparatus, or the like.
[0042] When the authentication of the inputted user credential is unsuccessful, the external device may be restricted to interact with the image processing apparatus, at 416. Further, an event associated with the successful authentication or the unsuccessful authentication may be recorded and maintained in a firmware log associated with the image forming apparatus. Thus, the user or an enterprise may be able to monitor user actions via the firmware logs to trace security attacks.
[0043] FIG. 5 is a flowchart illustrating an example method 500 for enabling/restricting an interaction between an image processing apparatus and an external device. In example method 500, the image processing apparatus may be considered to be procured by a user in a home scenario. At 502, a device credential associated with the image forming apparatus be configured while setting up the image forming apparatus. In an example, the user may follow an out-of-box experience (OOBE) procedure to setup the image forming apparatus. In an example, the user may set the device credentials during the OOBE process. In another example, the user may setup the device credentials after the OOBE process is completed. Further, the device credential may be stored in an internal memory of the image forming apparatus.
[0044] At 504, an external device may be detected as being plugged into an I/O port of the image forming apparatus. For example, the user may connect the external device such as a USB device for a scan workflow, USB printing, fax workflow, a stored job workflow, USB based Bluetooth adaptor, or the like. At 506, a prompt to input the device credential may be displayed in response to detecting the external device plugged into the I/O port. In an example, the prompt may be displayed on a user interface of the image forming apparatus.
[0045] At 508, a check may be made to determine whether the inputted device credential is successfully authenticated. For example, an authentication service may be invoked to authenticate the inputted device credential. The authentication service may compare the inputted device credential and the stored device credential to authenticate the inputted device credential. In an example, when the inputted device is successfully authenticated, the external device may be enabled to interact with the image processing apparatus, at 510. Further, an event associated with the successful authentication may be recorded in a firmware log associated with the image forming apparatus, at 512.
[0046] In another example, when authentication of the inputted device credential is unsuccessful, the external device may be restricted to interact with the image processing apparatus, at 514. At 516, an alert may be generated to notify a failed event to access the I/O port. For example, the generated alert (e.g., to indicate a suspicious activity) may be communicated to the owner/user via a notification on a mobile application, displayed on a control panel of the image forming apparatus, or sent to a registered email of the user. Further, an event associated with the unsuccessful authentication may be recorded in the firmware log associated with the image forming apparatus, at 512.
[0047] At 518, a detection that the external device is unplugged from the I/O port may be made. At 520, connection information associated with the external device with the image forming apparatus may be removed or erased. For example, when the user unplugs the external device from the image forming apparatus, the image forming apparatus may forget the connection. Further, when the user again connects the external device to the image forming apparatus, the image forming apparatus instead of remembering the external device or connection, the image forming apparatus may prompt to input the device credential. For example, when a hacker or unknown user connects any external device, the image forming apparatus may prompt to input the device credential. Thus, the image forming apparatus may restrict access to the I/O port.
[0048] FIG. 6 is a flowchart illustrating another example method 600 for enabling/restricting an interaction between an image processing apparatus and an external device. In example method 600, the image processing apparatus may be considered to be procured by a small and medium-sized business (SMB). At 602, a user credential for the image forming apparatus may be set using a configuration setting of the image forming apparatus. In an example, an administrator associated with the SMB may follow an out-of-box experience (OOBE) procedure to setup the image forming apparatus and setup the user credential during the OOBE procedure. In another example, the administrator may setup the user credential after the OOBE process is completed.
[0049] At 604, the user credential may be associated to a user account. For example, the administrator may setup different user profiles for the employees. Further, the administrator may assign the user credential to the user profiles. In an example, the user credential may be same or different to each of the employees. [0050] At 606, an external device may be detected as being plugged into an I/O port of the image forming apparatus. For example, an employee may connect the external device to the image forming apparatus via the I/O port for a scan workflow, USB printing, fax workflow, a stored job workflow, a Bluetooth adaptor, or the like. At 608, a prompt to input the user credential may be displayed.
[0051] At 610, a check may be made to determine whether the inputted user credential is successfully authenticated. In an example, when the inputted user credential is successfully authenticated, the external device may be enabled to interact with the image processing apparatus, at 612. Further, an event associated with the successful authentication may be recorded in a firmware log associated with the image forming apparatus, at 614.
[0052] In another example, when the authentication of the inputted user credential is unsuccessful, the external device may be restricted to interact with the image processing apparatus, at 616. At 618, an alert may be generated to notify a failed event to access the I/O port. For example, the generated alert (e.g., to indicate a suspicious activity) may be communicated to the administrator via a notification on a mobile application, the alert may be sent to a registered email of the administrator, or the like. Further, an event associated with the unsuccessful authentication may be recorded in the firmware log associated with the image forming apparatus, at 614.
[0053] At 620, a detection that the external device is unplugged from the I/O port may be made by the image forming apparatus. At 622, connection information associated with the external device may be removed or erased from the image forming apparatus. Thus, examples described herein may include a zero-trust approach as the image forming apparatus may forget the connection in response to the detection that the external device is unplugged from the image forming apparatus. Further, when the external device is plugged again to the image forming apparatus via the I/O port, the image forming apparatus may follow the authentication process again to allow/restrict the interaction of the external device with the image forming apparatus.
[0054] FIG. 7 is a flowchart illustrating yet another example method 700 for enabling/restricting an interaction between an image processing apparatus and an external device. At 702, a user credential may be set as part of an enterprise password policy for an image forming apparatus. For example, when an enterprise procures the image forming apparatus, an administrator may follow an OOBE process to the setup the image forming apparatus. The administrator may set up the image forming apparatus in an enterprise network and enroll the image forming apparatus to an authentication service such as Windows, lightweight directory access protocol (LDAP) based authentication, or any other centrally managed authentication service. Further, an employee may be allowed to setup the user credential as part of the enterprise password policy. At 704, the user credential may be stored against corresponding user account in the authentication service, for instance.
[0055] At 706, an external device may be detected as being plugged into an I/O port of the image forming apparatus. For example, an employee may connect the external device to the image forming apparatus via the I/O port for a scan workflow, USB printing, fax workflow, a stored job workflow, a Bluetooth adaptor, third-party wireless accessory, card reader, or the like. At 708, a prompt to input the user credential may be displayed.
[0056] At 710, the user credential may be authenticated using the authentication service. For example, the image forming apparatus may send the inputted user credential to the authentication service for authentication. At 712, a check may be made to determine whether the inputted user credential is successfully authenticated. In an example, when the inputted user credential is successfully authenticated, the external device may be enabled to interact with the image processing apparatus, at 714. Further, an event associated with the successful authentication may be recorded in a firmware log associated with the image forming apparatus, at 716.
[0057] In another example, when authentication of the inputted user credential is unsuccessful, the external device may be restricted to interact with the image processing apparatus, at 718. At 720, an alert may be generated to notify a failed event to access the I/O port. For example, the generated alert (e.g., to indicate a suspicious activity) may be communicated to the administrator via via notification on a printer fleet management solution, security information and event management (SEIM) event, by email, or the like. Further, an event associated with the unsuccessful authentication may be recorded in the firmware log associated with the image forming apparatus, at 716.
[0058] At 722, a detection that the external device is unplugged from the I/O port may be made by the image forming apparatus. At 724, connection information associated with the external device may be removed or erased from the image forming apparatus. Thus, when the external device is unplugged from the image forming apparatus, the image forming apparatus may forget the connection. Thus, the image forming apparatus may be secured from unwanted access via the I/O port from inside and/or outside threats (e.g., sensitive information disclosure, malware attack, denial of service attack, and the like).
[0059] It should be understood that method 400, 500, 600, or 700 depicted in FIGs. 4, 5, 6, or 7 represents generalized illustrations, and that other processes may be added, or existing processes may be removed, modified, or rearranged without departing from the scope and spirit of the present application. In addition, it should be understood that the processes may represent instructions stored on a computer-readable storage medium that, when executed, may cause a processor to respond, to perform actions, to change states, and/or to make decisions. The processes of method 400, 500, 600, or 700 may represent functions and/or actions performed by functionally equivalent circuits like analog circuits, digital signal processing circuits, application specific integrated circuits (ASICs), or other hardware components associated with the system. Furthermore, example method 400, 500, 600, or 700 may not be intended to limit the implementation of the present application, but rather example method 400, 500, 600, or 700 illustrates functional information to design/fabricate circuits, generate machine-readable instructions, or use a combination of hardware and machine-readable instructions to perform the illustrated processes.
[0060] The above-described examples are for the purpose of illustration. Although the above examples have been described in conjunction with example implementations thereof, numerous modifications may be possible without materially departing from the teachings of the subject matter described herein. Other substitutions, modifications, and changes may be made without departing from the spirit of the subject matter. Also, the features disclosed in this specification (including any accompanying claims, abstract, and drawings), and/or any method or process so disclosed, may be combined in any combination, except combinations where some of such features are mutually exclusive.
[0061] The terms “include," “have,” and variations thereof, as used herein, have the same meaning as the term “comprise” or appropriate variation thereof. Furthermore, the term “based on”, as used herein, means “based at least in part on.” Thus, a feature that is described as based on some stimulus can be based on the stimulus or a combination of stimuli including the stimulus. In addition, the terms “first” and “second” are used to identify individual elements and may not meant to designate an order or number of those elements.
[0062] The present description has been shown and described with reference to the foregoing examples. It is understood, however, that other forms, details, and examples can be made without departing from the spirit and scope of the present subject matter that is defined in the following claims.

Claims

WHAT IS CLAIMED IS:
1. An Internet-of-Things (loT) device comprising: an input/output (I/O) port; and a processor to: detect an external device connected to the I/O port; provide a prompt to enter a device credential associated with the loT device in response to the detection of the external device connected to the I/O port; and enable an interaction between the external device and the loT device upon an authentication of the entered device credential.
2. The loT device of claim 1 , wherein the processor is to: restrict the interaction between the external device and the loT device in response to an unsuccessful authentication of the entered device credential.
3. The loT device of claim 1 , wherein the processor is to: provide a setting to configure the loT device with the device credential, wherein the device credential is to prevent unauthorized access to the I/O port; receive an input to configure the setting; and register the received input as the device credential.
4. The loT device of claim 1 , wherein the processor is to: configure the device credential as part of a registration process or out-of- box-experience (OOBE) process performed on the loT device.
5. The loT device of claim 1, wherein the I/O port is a universal serial bus (USB) port.
6. A non-transitory computer-readable storage medium encoded with instructions that, when executed by a processor of an image forming apparatus, cause the processor to: detect an external device connected to an input/output (I/O) port of the image forming apparatus; display a prompt to input a user credential associated with the image forming apparatus in response to the detection that the external device connected to the I/O port; authenticate the inputted user credential; and restrict data transfer to or from the external device in response to an unsuccessful authentication of the inputted user credential.
7. The non-transitory computer-readable storage medium of claim 6, further comprising instructions to: generate an alert to notify a failed event to access the I/O port upon restricting the data transfer to or from the external device.
8. The non-transitory computer-readable storage medium of claim 7, further comprising instructions to: record the failed event in a firmware log upon restricting the data transfer to or from the external device.
9. The non-transitory computer-readable storage medium of claim 6, further comprising instructions to: enable to set the user credential for the image forming apparatus using a configuration setting of the image forming apparatus; associate the user credential to a user account; and store the user credential in a memory of the image forming apparatus or an external storage connected to the image forming apparatus.
10. The non-transitory computer-readable storage medium of claim 9, wherein instructions to authenticate the inputted user credential comprise instructions to: retrieve the stored user credential from the memory or the external storage; and authenticate the inputted user credential by comparing the stored user credential with the inputted user credential.
11. A method comprising: configuring an image forming apparatus with a user credential to access an input/output (I/O) port of an image processing apparatus; associating the user credential to a user profile; detecting an external device plugged into the I/O port; displaying a prompt to input the user credential associated with the user profile in response to detecting the external device plugged into the I/O port; authenticating the inputted user credential; in response to a successful authentication, enabling the external device to interact with the image processing apparatus; and in response to an unsuccessful authentication, restricting the external device to interact with the image processing apparatus.
12. The method of claim 11 , further comprising: recording and maintaining an event associated with the successful authentication or the unsuccessful authentication in a firmware log associated with the image forming apparatus.
13. The method of claim 11 , wherein enabling the external device to interact with the image processing apparatus comprises: enabling the image processing apparatus to access the external device to perform a function associated with the image forming apparatus.
14. The method of claim 13, wherein the function comprises: printing a document from the external device; scanning a document to the external device; storing a received fax in the external device; or transmitting a stored document in the external device in accordance with a user-selectable operation of the image forming apparatus.
15. The method of claim 11 , wherein the external device is a Bluetooth adaptor to connect a Bluetooth peripheral device with the image forming apparatus.
PCT/US2021/071809 2021-01-13 2021-10-11 Authentication- based interactions with external devices WO2022154983A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202141001670 2021-01-13
IN202141001670 2021-01-13

Publications (1)

Publication Number Publication Date
WO2022154983A1 true WO2022154983A1 (en) 2022-07-21

Family

ID=82448502

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2021/071809 WO2022154983A1 (en) 2021-01-13 2021-10-11 Authentication- based interactions with external devices

Country Status (1)

Country Link
WO (1) WO2022154983A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8018610B2 (en) * 2004-10-08 2011-09-13 Sharp Laboratories Of America, Inc. Methods and systems for imaging device remote application interaction
US20170235529A1 (en) * 2014-03-14 2017-08-17 Canon Kabushiki Kaisha Image forming apparatus, information processing method, and storage medium
US10325454B2 (en) * 2017-02-03 2019-06-18 Samsung Electronics Co., Ltd. Method for providing notification and electronic device thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8018610B2 (en) * 2004-10-08 2011-09-13 Sharp Laboratories Of America, Inc. Methods and systems for imaging device remote application interaction
US20170235529A1 (en) * 2014-03-14 2017-08-17 Canon Kabushiki Kaisha Image forming apparatus, information processing method, and storage medium
US10325454B2 (en) * 2017-02-03 2019-06-18 Samsung Electronics Co., Ltd. Method for providing notification and electronic device thereof

Similar Documents

Publication Publication Date Title
US10009327B2 (en) Technologies for secure storage and use of biometric authentication information
US10055559B2 (en) Security device, methods, and systems for continuous authentication
EP3864542B1 (en) Proximity-based unlocking of communal computing devices
US9454656B2 (en) System and method for verifying status of an authentication device through a biometric profile
US8689013B2 (en) Dual-interface key management
US10645557B2 (en) Transferable ownership tokens for discrete, identifiable devices
US8385824B2 (en) Procedure for headset and device authentication
WO2017053002A1 (en) Technologies for touch-free multi-factor authentication
US11140155B2 (en) Methods, computer readable media, and systems for authentication using a text file and a one-time password
US9256723B2 (en) Security key using multi-OTP, security service apparatus, security system
CN104320389B (en) A kind of fusion identity protection system and method based on cloud computing
US11038684B2 (en) User authentication using a companion device
US9058482B2 (en) Controlling user access to electronic resources without password
KR20160097323A (en) Near field communication authentication mechanism
US10298556B2 (en) Systems and methods for secure storage and management of credentials and encryption keys
US20200120090A1 (en) Biometric data synchronization devices
KR101133210B1 (en) Mobile Authentication System and Central Control System
WO2022154983A1 (en) Authentication- based interactions with external devices
US20220417249A1 (en) Remote registration of a data storage device with biometric authentication
US11748497B2 (en) BIOS access
JP2021174146A (en) Information processing apparatus and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21920090

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21920090

Country of ref document: EP

Kind code of ref document: A1