MFD (Copier) Firmware – Who updates it & how?
February 24, 2009I have recently met with a number of security people and this question has come up a few times, so I thought that it was worth the time to address it here.
Who updates the firmware on my copier MFD? How can I be assured that it’s getting done?
Here is how we do it at my company. This may give you a starting point for a similar discussion for you to have with your servicing dealer.
“Copier” MFD – Firmware updates
NECS, Canon, and Konica Minolta have a number of policies and procedures in place to ensure that there is current firmware installed on the machines in the field (MIF).
1. NECS Technician all carry laptops not just because it makes it easier to have all of their Tech Manuals in a searchable PDF format BUT also so they will always have the current firmware for the MFDs that they service. The way NECS accomplishes this is by requiring the Technicians (when they come into any of our offices) to logon to the company network with their laptop. When they do this a script runs that downloads any new firmware of technical bulletins that are available. This automates the process of making sure that the NECS technicians always have the current firmware and all current technical bulletins when they need it.
2. Canon & Konica Minolta Tech support also has a policy and procedure in place to make sure that the firmware is kept current. When an Authorized Technician calls the Canon or Konica MinoltaTech Support Help line one of the first questions that the Help Desk asks is what is the current level of firmware on this MFD? If it is not up to date, they require the technician to first update the firmware (which in many cases that alone can fix a problem) before they proceed with the help desk support.
3. It also seems like the Manufacturers are becoming more aware of the customer sensitivity to this issue and we are hearing that they are moving towards giving the Dealers and/or the customers easier ways to check and or update the firmware. While I have not seen this released yet, we have heard talk that it is coming. Stay tuned for more info
NOTE: It is important for us to compare and contrast MFD firmware updates from a PC or MACs OS Service Pack or Patch. Not all firmware is designed to work on all configurations of an MFD. It is true that there are certain versions made for the general MFD. But we have seen, and do see specific levels of firmware design for an MFD that has a certain option (like a Booklet Maker Finisher) or a specific Print Engine (like a MicroPress RIP). In some cases loading the latest & greatest firmware that is available for a particular MFD will actually cause a problem (I have seen it happen).
So how do you know that youhave the correct level of firmware for your MFD. The factory trained and authorized technician has access to this information via the manufacturer’s support web site. It is one of the reasons that you REALLY need to have an Authorized Dealer servicing your equipment.
That’s my $0.02
Vince McHugh
vince.mchugh@Yahoo.com
PS: The Canon Ikon letter stated that Ikon would recieve “certain technical support” from Canon for one year. The way I read that is after one year they will recieve no technical support from Canon (Isn’t that what it implies?). If that is the case then the Canon MFDs that Ikon continues to service would NOT be able to get a firmware update, at least not form an Ikon tech. What are the security ramifications of that? If you fall into this category you may may want to talk to Ikon about this serious problem, or better yet speak to you local Authorized Canon Dealer. They definitely will be able to update your firmware!
MFPs, MFDs, PRINTERs & COPIERs 
First lets explore the reason new firmware is released. This is a quote from the “issue fixed” in the latest release of firmware from one of my vendors:
MFP accesses the default homepage once when Auto Reset is
executed if the homepage MFP accessed in the last occasion
is other than the default homepage.
Now I ask myself. Given any translation of janglish, can I come up with ANY reason to update ANY machine in the field with this firmware unless the customer has actively been complaining about some problem this may remedy? This is not an isolated case of a particular firmware version. This type of firmware release is common.
Second, for most firmware releases there is no compelling reason to create what may be hundreds of service calls which will consume an average of 2 hours each of a technicians time in travel, and wrench time. I have contracts with guaranteed response time and uptime clauses that this may well push over the triggers and cause me not only to tie up field resources but loose service revenue as well. The folks who are concerned or asking about maintaining the firmware versions are not small clients with a few machines, they are widespread fleets with involved IT staffs.
Your initial point was from the slant of “security people with questions” about updates. I would take this position with them.
1. Outside of an external print controller (i.e. EFI or Creo etc) which runs a Windows OS, most patches or firmware updates are not aimed at security. If my MFP runs VXWorks or a custom OS there will rarely be a security patch issued during the life of the device. Fiery’s can be set to automatically pull and update MS security patches. Creo has a somewhat different system, but MS patches are still applied. If you are REALLY concerned about network security I strongly advise against equipping a fleet of devices with Windows front ends. Even under the best of circumstances it will be weeks or months before a critical security patch filters down to the RIP vendors patch list.
2. Does the customer want to suffer the extra downtime necessary for keeping current on the very latest release of firmware, and are they paying you enough to make it worth the possible revenue loss from other customers to pour manpower into their updates? Even when 90% of these update have no discernible impact on their day to day operation or security?
3. What are the testing and verification processes to be implemented before these new firmware updates are applied to their fleet? Do they really want my junior technician deciding that some version of firmware or another has to be deployed on their machines without them installing it in a test bed and verifying that some mission critical operation of the MFP is not brought to its knees by the version of firmware that hit the mymfpvendor.com website last might?
I could probably keep ranting in this vein, but you get the jist.
Daved,
You have some very valid points, and this should lead to an honest and open debate on the pros and cons on doing updates to firmware on the MFDs. I appreciate your prospective, since I have also been a service technician, a troubleshooter, and a Field Service Manager in my carrer. So I get what you are saying, and for the longest time this was the standard in our industry “If it ain’t broke, don’t fix it”.
Any time you load new firmware or software you run the risk of introducing bad or even just different behavior from the device. And different usually is interpreted as bad by the customer unless it solves a specific problem that they were previously aware of.
But there is also a risk in not updating the MFDs firmware and we need to honestly discuss this too. While it is true that sometimes we don’t get a good explanation of what a certain firmware updates does, often times there is a good technical bulletin, or Readme file with it (at least in my experience with Canon & Konica Minolta). After all the manufacturers get no benefit to writing a useless firmware update. Typically it is released to fix bugs, and to patch security holes. Most manufacturer’s help desk force the service tech to update the firmware before they will provide tech support. This makes sense because if they have an old problem with old firmware the newer version may have been written to fix that very issue. I have seen this first hand.
But what about from the customer’s point of view. I think we can all agree that the modern MFD is not a “copier” anymore. It is a node on the network, and as such it is now being looked at, supported, and even purchased (many times) by the IT Dept. And it is an unfortunate reality that MFDs do get hacked into. At one very prestigious Technical Institution here in Massachusetts (where the “scary smart kids go to school), I had a discussion with their IT people and they asked me if I knew how long the average MFD was on their Network before it got hacked? I told them that I had no idea. My jaw hit the floor when they informed me that the average time from when an MFD was installed on their network until it got hacked was …… (drum roll please!)
6 Minutes!!!!
So as much as this may be a discussion that Copier companies don’t want to have, there is no avoiding it anymore. We need to talk about firmware upgrades and securing the MFD. So let’s talk about best practices (so we don’t run our service departments into the ground financially).
I am not and would not suggest that a service call be generated just to update the MFDs firmware. But in the regular course of a service call or a pre scheduled PM the level of firmware should be checked by the technician. If they already have the latest version of firmware on them (as our NECS Service Techs do – See the main article to this comment) then it will only add 15 – 20 minutes to the service call. And could save future service calls by the bug fixes and the security patches that the firmware was written to deliver. If the tech does not get the new firmware on a regular basis you may need to implement a policy to rectify the situation.
I have found that Service technicians fall into two general categories; The first does the “hit & run” type of service calls. S/he only fixes the problem that was called in and is generally back within a week to ten days to fix only the next problem that they call for. This is a truly ineffective way to service a modern MFD. While this type of tech does a lot of calls per day, they also have a lot of recalls. It is expensive for the dealership and frustrating for the customer. The other type of Service tech does a “total service call”, not only fixing the problem that the customer called for, but also looking at the overall MFD (Rollers, Fixing Unit, Waste toner, Web, and yes the firmware version). By taking a little extra time they pro-actively resolve issues before they arise. In the long run that saves the dealership money, by avoiding future service calls. And customers don’t get to know your service tech all too well!
There is also some good news on the Firmware upgrade front. The manufacturers are aware that this is becoming a concern, and a problem for not only the dealerships but also for their customers. We are hearing that they are working on ways to make it significantly easier to update firmware. Stay tuned to this blog and I will tell you more as it is made public.