Information processing apparatus, method for controlling information processing apparatus, and program
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- CANON KK
- Filing Date
- 2023-05-24
- Publication Date
- 2026-06-23
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
[Technical field]
[0001] The present invention relates to improving security of information processing devices used in a diversified environment. [Background technology]
[0002] Information processing devices connected to a network can be used safely by incorporating various security functions such as encryption technology. When communicating in infrastructure mode of a wireless LAN (Local Area Network), the information processing device achieves communication by connecting to a wireless access point. At this time, the encryption method for the communication path is determined through an agreement between the information processing device and the wireless access point, so that measures are taken to prevent communication contents from leaking along the path. The encryption method that can be used must be supported by both the information processing device and the wireless access point. Even if the information processing device supports the latest encryption method with high strength, if the wireless access point does not support it, a conventional encryption method with low strength must be used.
[0003] Currently, the encryption methods for wireless LANs generally installed in information processing devices are the protocols WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), WPA2, and WPA3. Of these, methods for decrypting WEP and WPA are known due to the weak encryption strength and some vulnerabilities, and governments and security agencies of various countries have issued warnings that their use is not recommended. In addition, while no encryption is also an available communication method, it is naturally not recommended.
[0004] In the past, work environments were often conducted within a company's intranet. In recent years, as work environments have diversified, there has been an increase in cases of working from home or in public spaces. As the work environment has changed, there have been more cases where information devices used for work are used outside of the company's intranet.
[0005] In the past, in-house intranet security managers have provided employees with a safe work environment by taking security measures for the information devices used and the networks they connect to. In such an environment, even if the encryption method of the wireless LAN used by the information devices is a non-recommended protocol, it is possible to reduce the risk by taking measures on the environment side. For example, measures such as eliminating the risk of eavesdropping by controlling the range of radio waves and strictly managing entry to rooms can be taken. In cases where the upgrade cycle of industrial equipment used by a company is long and it is not possible to strengthen the encryption of the industrial equipment itself, such environmental measures are a viable option.
[0006] In a home environment, security managers may be able to check using some security software, but basically the responsibility for security measures lies with the employees who use the system. Although companies make efforts to educate employees on security, it is difficult for them to analyze threats at the same level as security managers. In this case, employees responsible for security rarely have security expertise, so there are few cases where they can take measures to reduce risks on the environmental side, as companies do, and there is a high possibility that they are not even aware of the risks in the first place. Furthermore, when working from home, it is often difficult to control the range of radio waves due to the small size of the lot and the shielding properties of building materials against radio waves.
[0007] Patent Document 1 discloses a technology that displays a warning when an encryption method with weak security strength is being used when a user sets an information processing device to prohibit the use of the encryption method with weak security strength. [Prior art documents] [Patent documents]
[0008] [Patent Document 1] JP 2016-208448 A Summary of the Invention [Problem to be solved by the invention]
[0009] However, in Patent Document 1, for example, appropriate notification is not performed in consideration of the usage environment of the information processing device, such as conditions specific to a particular usage environment or changes in the usage environment.
[0010] Therefore, an object of the present invention is to provide an appropriate notification mechanism that takes into consideration the usage environment of an information processing device. [Means for solving the problem]
[0011] In order to achieve the above-mentioned object, the information processing device of the present invention is an information processing device capable of wireless communication with an external device, and has a reception means for receiving a selection of one environment from a plurality of environments as a usage environment of the information processing device, and a notification control means for notifying a warning regarding the wireless communication settings when one of the predetermined environments is selected by the reception means and a setting with a relatively low security strength among the settings for encryption processing used for wireless communication is set in the information processing device, and for controlling so as not to notify the warning when the predetermined environment is not selected by the reception means, wherein the predetermined environment is at least one of an environment assumed for use of the information processing device when working from home, an environment assumed for use of the information processing device in a coworking space or shared office, and an environment assumed for connection of the information processing device to a Wi-Fi hotspot. Effect of the Invention
[0012] According to the information processing device of the present invention, it is possible to provide an appropriate notification mechanism that takes into consideration the usage environment of the information processing device. [Brief description of the drawings]
[0013] [Figure 1] 1 is a block diagram showing a connection configuration of an MFP according to the present invention. [Diagram 2] FIG. 2 is a diagram illustrating the internal configuration of a controller unit of the MFP. [Diagram 3]FIG. 2 is a block diagram of the software executed in the controller of the MFP. [Figure 4] FIG. 4 is a screen configuration diagram relating to a usage environment setting function of the present invention. [Diagram 5] FIG. 4 is a screen configuration diagram relating to a security notification function of the present invention. [Figure 6] FIG. 4 is a screen configuration diagram relating to a remote control function of the present invention. [Figure 7] 2 is a flow diagram for implementing the processing of the MFP of the present invention. [Figure 8] FIG. 4 is a screen configuration diagram relating to the wireless LAN access point selection function of the present invention. [Figure 9] 2 is a flow diagram for implementing the processing of the MFP of the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0014] Hereinafter, an embodiment of the present invention will be described with reference to the drawings. Note that the following embodiment does not limit the invention according to the claims, and not all of the combinations of features described in the embodiment are necessarily essential to the solution of the invention. In addition, the following embodiment will be described using a multi-function peripheral (MFP) equipped with a printer as an example of an information processing device. Note that the information processing device in the present invention is not limited to an MFP, and may be, for example, a notebook PC, a tablet, a smartphone, etc.
[0015] <First embodiment> In this embodiment, an access point is selected on a wireless access point selection screen (not shown), and after the network connection settings are completed, if communication with weak security strength is detected, a security notification is given to the user according to the MFP usage environment.
[0016] 1 is a block diagram showing the connection configuration of an MFP, a wireless access point, a PC, and a management system according to the present invention. MFP 100 is an example of an information processing device according to the present invention. MFP 100 and PC 113 are connected via a wireless access point 111. This allows MFP 100 to perform wireless communication with PC 113, which is an external device. Wireless access point 111 and management cloud system 121 are connected via Internet 120. In this embodiment, wireless access point 112 is a device that is a target of an access point search but does not connect to.
[0017] The MFP 100 has an operation unit 102 that inputs and outputs data to and from the user. The MFP 100 has a printer unit 103 that outputs electronic data to paper media. The MFP 100 has a scanner unit 104 that reads paper media and converts it into electronic data. The operation unit 102, printer unit 103, and scanner unit 104 are connected to a controller unit 101, and function as a multifunction peripheral according to the control of the controller unit 101.
[0018] The PC 113 is a work terminal that transmits print jobs to the MFP 100 and performs remote control. The MFP 100 can receive print jobs from the PC 113 and transmit scan data to the PC 113 using wireless communication via a wireless access point 111. The management system 121 is a device for checking information about the MFP 100 via the Internet.
[0019] FIG. 2 is a block diagram showing details of the controller unit 101 of the MFP 100. The CPU 201 performs main arithmetic processing within the controller. The CPU 201 is connected to the DRAM 202 via a bus. The DRAM 202 is used by the CPU 201 as a working memory for temporarily storing program data representing arithmetic instructions during the CPU 201's arithmetic process and data to be processed. The CPU 201 is connected to the I / O controller 203 via a bus. The I / O controller 203 performs input / output to various devices according to instructions from the CPU 201. A SATA (Serial Advanced Technology Attachment) I / F 205 is connected to the I / O controller 203, and a Flash ROM 211 is connected to the SATA I / F 205. The CPU 201 uses the Flash ROM 211 to permanently store programs for implementing the functions of the MFP 100 and document files. A network I / F 204 is connected to the I / O controller 203. A wireless LAN device 210 is connected to the network I / F 204. The CPU 201 controls the wireless LAN device 210 via the network I / F 204 to realize communication with the wireless access point 111. A panel I / F 206 is connected to the I / O controller 203, and the CPU 201 realizes user-oriented input / output to the operation unit 102 via the panel I / F 206. A printer I / F 207 is connected to the I / O controller 203, and the CPU 201 realizes output processing for paper media using the printer unit 103 via the printer I / F 207.
[0020] 3 is a block diagram showing the structure of software executed by the controller unit 101 of the MFP 100. All of the software executed by the controller unit 101 is executed after the CPU 201 reads a program stored in the Flash ROM 211 into the DRAM 202.
[0021] The operation control unit 301 displays a screen image for the user on the operation unit 102, detects user operations, and executes processing associated with screen components such as buttons displayed on the screen. The data storage unit 302 stores and reads data in the Flash ROM 211 upon request from another control unit. For example, if the user wants to change some device setting, the operation control unit 301 detects the content input by the user to the operation unit 102, and upon request from the operation control unit 301, the data storage unit 302 saves it in the Flash ROM 211 as a setting value.
[0022] A job control unit 303 controls job execution according to instructions from the other control units. An image processing unit 304 processes image data into a format suitable for each purpose according to instructions from the job control unit 303. A print processing unit 305 prints and outputs an image on a paper medium via a printer I / F 207 according to instructions from the job control unit 303. A read control unit 306 reads a placed document via a scanner I / F 208 according to instructions from the job control unit 303.
[0023] The network control unit 307 performs network settings such as connection to a wireless access point and IP address in the TCP / IP control unit 308 at system startup or when a setting change is detected according to the setting values stored in the data storage unit 302. The setting values stored in the data storage unit 302 include information such as an SSID (Service Set Identifier), encryption method, and PSK (Pre Shared Key) required for connection to a wireless LAN access point. Regarding the SSID and encryption method, the MFP 100 stores in the data storage unit 302 the SSID and encryption method corresponding to an access point selected by a user on a wireless access point selection screen (not shown). Here, the wireless access point selection screen (not shown) displays an access point corresponding to a signal received by the MFP 100 and transmitted by the wireless access point to a device before connection. Instead of selecting a wireless access point, the user may manually input information notified in advance by an administrator of the wireless access point through the operation unit 102. In this case, the MFP 100 stores in the data storage unit 302 the information on the SSID and encryption method manually input by the user. Regarding the PSK, the user inputs information notified in advance by the administrator of the wireless access point, and MFP 100 stores the input PSK information in data storage unit 302 .
[0024] A TCP / IP control unit 308 performs transmission and reception processing of network packets via the network I / F 204 in accordance with instructions from other controls.
[0025] Security verification control unit 309 detects that network control unit 307 has established a connection to a wireless access point, and performs security verification. If the verification result requires a user notification, it notifies operation unit 102, management system 121, and PC 113 via operation control unit 301, management system communication unit 310, and remote control communication unit 311. It also records the result as a log in data storage unit 302 for later reference. The specific processing of security verification will be described later with reference to FIG. 7.
[0026] The management system communication unit 310 performs control for transmitting various information to the management system 121 via the network control unit 307 .
[0027] A remote control communication unit 311 performs control to respond to operation and display requests from the PC 113 via the network control unit 307. This enables the user to operate the MFP 100 from a remote PC without being in front of the MFP 100.
[0028] 4A and 4B show the recommended security settings 401 displayed on the operation unit 102. This is a screen used to set security settings associated with a usage environment in a lump sum by selecting the usage environment. It is displayed when the user instructs the display of the recommended security settings 401 from a menu screen (not shown). The company intranet button 402 is selected when the usage environment is the company intranet. The at home button 403 is selected when the usage environment is an environment assumed for use in telecommuting. The public space button 404 is selected when the usage environment is a public space. The Internet direct connection button 406 is selected when the usage environment is an Internet direct connection environment. The Internet prohibition button 407 is selected when the usage environment is an Internet prohibition environment. The highly confidential information button 408 is selected when the usage environment is a highly confidential information environment. The button information notification section 405 is an area in which the MFP 100 displays a message when there is information to be notified to the user. FIG. 4A shows an example of a notification when the use of a non-recommended protocol described later is detected in a wireless LAN connection. Also, Fig. 4(B) is an example of a notification when a change in the usage environment in which the information processing device is used is detected. The usage environment estimation result notification unit 409 is an area that notifies the usage environment estimated from the network environment to which the MFP 100 is connected. The security risk notification unit 410 is an area that notifies the security risk level of the network environment to which the MFP 100 is connected and displays information to encourage a user who is hesitant to implement security settings to do so. Fig. 4(A) is an example of a notification when a home environment is estimated as the usage environment, and Fig. 4(B) is an example of a notification when a company intranet is estimated.
[0029] In order to perform collective setting using the recommended security setting 401, the data storage unit 302 stores a set of setting values associated with each usage environment. By selecting one of the buttons 402 to 404 and 406 to 408, collective setting is performed for multiple setting items of the MFP 100 using the set of setting values associated with the usage environment corresponding to the selected button. The multiple setting items include security setting items related to the system in general, such as a network, such as TLS setting related to encryption of communication, personal firewall setting, and SMB setting related to file sharing. In addition, setting items related to the security of the MFP, such as a function to automatically delete a print job interrupted due to an error or the like, and a function to display the history of print jobs, are also included. The multiple setting items do not include a setting value corresponding to a setting related to encryption processing used for wireless communication. In this embodiment, the setting value corresponding to a setting related to encryption processing is a value of the encryption method used for wireless LAN connection. In addition, the settings related to the encryption processing used in wireless communication can be broken down into authentication method, encryption method, encryption algorithm, and key length settings, and at least one of these settings may be set as the setting value corresponding to the settings related to the encryption processing.
[0030] FIG. 5 shows a security notification setting screen 501 displayed on the operation unit 102. This is a screen for the user to select whether or not to display a security notification. It is displayed when the user instructs the display of the security notification setting screen 501 from a menu screen (not shown). The information notification unit 503 is a message display area similar to the information notification unit 405. The setting 502 for not notifying a non-recommended protocol warning of wireless LAN can be set to whether or not to notify the information notification units 405 and 503 of a message in S1005 described later when the use of a non-recommended protocol of wireless LAN is detected in S1001 described later. When the setting 502 is selected by the user, the operation control unit 301 accepts an instruction not to notify the message. The value set here is stored in the data storage unit 302 and is referred to in the process of S1002 described later.
[0031] FIG. 6 shows a security notification setting screen 601 transmitted from the remote control communication unit 311 and displayed on a web browser running on the PC 113. The screen is displayed when the user instructs display of the recommended security notification setting screen 601 from a menu screen (not shown). The function provided is equivalent to that of the security notification setting screen 501, but the operation can be performed from the PC 113 at hand without going to the front of the MFP 100. The information notification unit 603 is a message display area. The setting 602 for not notifying a non-recommended protocol warning of wireless LAN can set whether or not to notify a message, similar to the setting 502 for not notifying a non-recommended protocol warning of wireless LAN. When the setting 602 is selected by the user, the PC 113 accepts the instruction not to notify the message. The value set here is stored in the data storage unit 302 and is referred to in the process of S1002 described later.
[0032] A process in which the MFP 100 detects the use of a non-recommended protocol and notifies the user will be described with reference to Fig. 7. All the processes performed by the MFP 100 in Fig. 7 are executed as calculation processes by the CPU 201 after a program recorded in the Flash ROM 211 is loaded into the DRAM 202.
[0033] This flow starts when the MFP 100 is started or when the network settings are changed. In S1001, the network control unit 307 establishes a connection to the wireless LAN based on the network settings stored in the data storage unit 302. The network settings include information required for wireless LAN connection, such as the SSID, encryption method, and PSK of the wireless access point 111 to be connected.
[0034] In S1002, security verification control unit 309 identifies that security notification is enabled. The value set by the user in setting 502 of not notifying non-recommended protocol warnings for wireless LAN or setting 602 of not notifying non-recommended protocol warnings for wireless LAN and stored in data storage unit 302 is read out, and identifies whether or not to notify. If an instruction not to notify has been accepted on screen 501 or screen 601, security setting control unit 309 determines that the setting not to notify has been accepted, and ends this flow. That is, in this case, even if a setting with relatively low security strength has been accepted in S1003 described later and the environment is identified as a predetermined environment in S1004, the flow ends without issuing a warning in S1005. If an instruction not to notify has not been accepted on screen 501 or screen 601, security setting control unit 309 determines that the setting to notify has been accepted, and executes the process of S1003.
[0035] In S1003, the security verification control unit 309 determines whether the MFP 100 uses a non-recommended protocol. Specifically, it determines whether the encryption method used in the wireless LAN connection in S1001 is no encryption, WEP, or WPA. In this embodiment, no encryption, WEP, and WPA are called non-recommended protocols. If the encryption method used in the wireless LAN connection in S1001 is no encryption, WEP, or WPA, it is determined to be a non-recommended protocol, and S1004 is performed. If the encryption method used in the wireless LAN connection in S1001 is WPA2 or WPA3, it is determined to be not a non-recommended protocol, and this flow ends. In this embodiment, the encryption protocol is specified according to the current situation, but the specific non-recommended encryption protocol will be updated according to future analysis and evolution of the encryption protocol, and the present technology is not limited to a specific encryption protocol. For example, it may be configured to determine whether a setting with relatively low security strength is set among settings related to encryption processing used for wireless communication. It may be determined whether a setting with relatively low security strength is set for wireless communication that is not encrypted or wireless communication using a non-recommended protocol is set as a setting with relatively low security strength. In this embodiment, the determination in S1003 is performed assuming that the setting for performing unencrypted wireless communication or wireless communication using a non-recommended protocol is a setting in which the encryption method is no encryption, WEP, or WPA. In addition, the settings related to the encryption process used in wireless communication can be broken down into authentication method, encryption method, encryption algorithm, and key length settings. At least one of these settings may be referenced to determine whether or not the setting is for performing wireless communication with relatively low security strength.
[0036] In S1004, the security verification control unit 309 judges whether the usage environment of the MFP 100 is a predetermined environment. In this embodiment, the predetermined environment is an environment assumed for use in telecommuting. That is, in S1004, the security verification control unit 309 judges whether the usage environment of the MFP 100 is a home environment. The predetermined environment is not limited to an environment assumed for use in telecommuting. For example, it may be at least one of a home environment, an environment assumed for use in a coworking space or a shared office, and an environment assumed for connection to a Wi-Fi hotspot. In this embodiment, the company intranet environment is not included in the predetermined environment. An environment in which management is applied to prevent eavesdropping within the reach of radio waves of wireless communication, such as the company intranet environment, may not be considered as a predetermined environment. In addition, even if special management is not applied, if a third party cannot enter the reach of radio waves and a relatively low security setting can be tolerated, it may not be considered as a predetermined environment. In other words, the predetermined environment may be an environment in which a user of the information processing device should not permit wireless communication using encryption processing according to a setting with a relatively low security level from the information processing device.
[0037] As a method of determination, it is confirmed whether the usage environment information selected in the recommended security setting screen 401 and stored in the data storage unit 302 is information indicating a home environment. There may be a case where the usage environment is not set in the recommended security setting 401, in which case it is determined that the usage environment of the MFP 100 is not set as home. The most conceivable case where the recommended security setting 401 is not used is when there is a highly skilled security administrator who individually considers and sets detailed settings, and in that case, the security warning notification of this embodiment is also considered unnecessary. In this embodiment, six environments are taken as examples: company intranet, home, public space, direct Internet connection, Internet prohibited, and confidential information, and the home environment is set as the predetermined environment and is the target of the security warning notification. However, as described above, the predetermined environment can be an environment other than the home environment. For example, if a device has an environment that can be included in the predetermined environment, such as a Wi-Fi hotspot, as an option of the usage environment displayed on the recommended security setting screen 401, that environment will also be the target of the security warning notification. It is conceivable that usage environments that are not currently envisioned will increase in the future, but the predetermined environment in the present invention is not limited to the home environment, and may be an environment that can be included in the above-mentioned predetermined environment.
[0038] The means for identifying the usage environment may be configured such that the network control unit 307 estimates the usage environment from the tendency of packets being transmitted and received. For example, a communication tendency specific to a home network is a feature caused by a home router. Specifically, in a home router, the same device generally serves as both a DHCP (Dynamic Host Configuration Protocol) server and a default gateway, but such a configuration is rare in corporate networks. From such tendencies, it is possible to infer the usage environment with a certain degree of accuracy. The security verification control unit 309 accepts the selection result of the estimated environment from among a plurality of environmental options, and identifies the usage environment of the MFP 100.
[0039] If the usage environment of the MFP100 is a predetermined environment, the process proceeds to S1005; if not, the process ends. In S1005, a security warning is notified to the user. Four notification means are used for the security warning. First, the operation control unit 301 notifies the information notification unit 405 or the information notification unit 503 on the operation unit 102 that a non-recommended protocol is being used. In addition, the management system communication unit 310 transmits a notification to the management system 121 that the MFP100 is using a non-recommended protocol. The management system 121 that has received the notification displays the received notification on a management system browsing screen for a Web browser operated by the user. In addition, the remote control communication unit 311 transmits a notification to the PC 113, which is an external device, that a non-recommended protocol is being used. The PC 113 that has received the notification displays the notification in the information notification unit 603 on the Web browser displayed on the PC 113. Furthermore, security verification control unit 309 records the notification that MFP 100 is using a non-recommended protocol, i.e., the determination result in S1003, in data storage unit 302 for later reference as a security log. This log may be separately transmitted to a Security Information and Event Management (SIEM) server as a security log. The above four methods are used to notify the user that MFP 100 is using a non-recommended protocol.
[0040] According to the above flow, when the wireless communication setting of the information processing device is set to use encryption processing with a relatively low security strength, notification control can be performed to notify a warning in consideration of the usage environment of the information processing device. This allows a user in a home environment to recognize security risks. If the usage environment of the information processing device is not taken into consideration, an unnecessary warning display would be given to a user who does not need the notification, such as a company intranet where security risks have already been reduced by measures on the environment side. According to the present invention, for a user in an environment where a warning is not required, such as a company intranet environment, the convenience is improved by eliminating unnecessary notifications. Note that screens 501, 601, and S1002 can be omitted.
[0041] Also, as shown in FIG. 4, the operation control unit 301 may display the use environment specified by the estimation described in S1004 on the recommended security setting screen 401. Since the estimation of the use environment is based on the tendency of packets transmitted and received, the network control unit 307 may execute the estimation process at any timing when the environment of the connected network may change other than the start of the wireless LAN. For example, the timing is when the wired LAN is started, when the network settings are changed, when the network is started, etc. Also, the network control unit 307 may execute the estimation process at a timing when the user wants to see the estimation result. For example, the timing is when the recommended security setting screen 401 is displayed, or when a usage environment estimation start button (not shown) displayed on the recommended security setting screen 401 is pressed. When the network control unit 307 executes the estimation process and obtains the use environment indicated by the estimation result, the operation control unit 301 may display the use environment on the recommended security setting screen 401.
[0042] Also, by storing a security level corresponding to the usage environment in advance in the MFP100, it is possible to specify the security risk level of the usage environment from the estimation result of the usage environment. For example, when the usage environment is a company intranet, it can be assumed that a security administrator has blocked communication on the network side or has performed thorough building entry management, so that the security risk level of the usage environment is considered to be relatively low or medium. When the usage environment is a home environment, it can be assumed that communication has not been blocked or strict entry management has not been performed, so that the security risk level of the usage environment is considered to be relatively high. In this way, the vendor determines the security risk level corresponding to the usage environment in advance, and stores the usage environment and the security risk level in the data storage unit 302 in the MFP100 in association with each other. Then, when the network control unit 307 estimates that the usage environment is a company intranet, it specifies the security risk level as "medium". When the network control unit 307 estimates that the usage environment is a home environment, it specifies the security risk level as "high". In this manner, the network control unit 307 may identify the security risk level of the usage environment from the estimation result of the usage environment.
[0043] In the case of a public space environment, it can be assumed that communication is not blocked or that strict entry management is not performed. Therefore, the security risk level is set to "high" as in the home environment. The security risk level is also set to "high" for an environment directly connected to the Internet. It can be assumed that a security administrator blocks communication on the network side or strictly manages entry to the building for a highly confidential information environment. Therefore, the security risk level is set to "medium" as in the company intranet environment. Since an Internet-prohibited environment is an environment isolated from a different network, the security risk level is set to "low". In this way, information that associates the usage environment with the security risk level is stored in the data storage unit 302. Then, when the network control unit 307 estimates the usage environment, it specifies the security risk level corresponding to the environment obtained as the estimation result.
[0044] The operation control unit 301 may display a message prompting the button information notification unit 405 to make the setting according to the security risk level identified by the network control unit 307. For example, when the security risk level corresponding to the estimated usage environment is high, the operation control unit 301 displays a message indicating that the environment is particularly high-risk and therefore the setting is strongly recommended even at the expense of convenience. When the security risk level corresponding to the estimated usage environment is low, the operation control unit 301 displays a message indicating that the environment is not particularly high-risk, but that the setting is recommended if possible because it has a certain effect.
[0045] Security settings and measures may reduce convenience, and users may hesitate to implement security settings, leading to the possibility that security settings will not be implemented. By displaying the security risk level or a message corresponding to the security risk level, it is possible to encourage users who are hesitant to implement the settings to do so.
[0046] The operation control unit 301 may switch between displaying and not displaying a prompt to set the security risk level depending on the usage environment. For example, the operation control unit 301 may not display the prompt when a company intranet with a relatively low security risk level is estimated, and may display the prompt when a user is at home with a high security risk level is estimated. Also, instead of switching between displaying and not displaying depending on the usage environment, the operation control unit 301 may be configured to switch the content of the notification. For example, the operation control unit 301 may notify the user when the usage environment is a company intranet, and then notify the user that there is no problem if measures have been taken, and notify the user that measures are strongly recommended when the user is at home.
[0047] When the estimation result of the usage environment has changed from the estimation result at the time of the previous estimation, the operation control unit 301 may display on the button information notification unit 405 that the security settings should be reviewed because the usage environment has changed. At this time, even if the estimation result has not changed, the operation control unit 301 may exceptionally display that the security settings should be reviewed. For example, when the SSID of the wireless access point has changed, even if the estimation result has not changed, the usage environment may have changed because the wireless access point 111 was connected to, so an exceptional display is effective. The same applies when the physical address of the gateway to be connected has changed. Furthermore, when the selection of the usage environment by the recommended security settings 401 and the security settings associated with the selection operation have not been performed, the setting operation has been postponed even if the estimation result has not changed, so an exceptional display to encourage the setting is effective.
[0048] When the estimated result of the usage environment changes, it is necessary to review the security settings, so the MFP can detect the change in the estimated result of the usage environment and notify the user, thereby preventing the user from forgetting to review the security settings. However, even if a notification is displayed only when the estimated result of the usage environment changes, if the user does not have time to set up security settings that correspond to the estimated result of the usage environment on the spot, the user will not be able to review the security settings appropriately. In addition, even if a notification is displayed only when the estimated result of the usage environment changes, if the estimated result of the usage environment coincides by chance, no notification is given, and the user will not be able to review the security settings appropriately. By displaying the exceptional results as described above, the MFP can prompt the user to review the security settings appropriately.
[0049] The detection and notification of the change in the usage environment may be performed at any timing when the usage environment estimation process is executed. Also, it may be performed at a timing when the user wants to know the change in the usage environment, such as when the recommended security setting screen 401 is displayed or when a usage environment estimation start button (not shown) is pressed. Also, the operation control unit 301 may be configured not to display the message that the security settings should be reviewed when it is determined that the usage environment is a highly confidential information environment based on the estimation result of the usage environment.
[0050] <Second embodiment> Hereinafter, an embodiment of the present invention will be described with reference to the drawings. In the first embodiment, after a user selects an access point and completes settings related to network connection, if communication with weak security strength is detected, security notification is given taking into consideration the usage environment of the MFP 100. This embodiment describes a usage procedure in which a user selects and changes a wireless access point after the usage environment of the MFP 100 is specified. Figures 1, 2, 3, 4, 5, and 6 have the same configuration as the first embodiment.
[0051] FIG. 8 shows an access point selection screen 801 displayed on the operation unit 102. When a wireless access point is searched for from the MFP 100, the wireless access points detected are displayed in a list in the wireless access point selection area 802 in a form identified by SSID. For ease of explanation, an example screen in which four access points are found is presented, but in the system configuration of FIG. 1, two access points, wireless access point 111 and wireless access point 112, are displayed in a list. The user can specify the access point to connect to by selecting one of the access points displayed in the list by tapping the screen. When the operation control unit 201 accepts the selection of an access point, information on the selected access point is stored in the data storage unit 302. The information is used when starting a wireless LAN connection. The access point information is, specifically, information such as the required SSID, encryption method, and PSK. Each access point has a security setting attribute, which indicates the encryption method supported by the access point. In the screen 801, the options for a given access point are displayed together with an icon indicating a warning to call attention.
[0052] In this embodiment, the predetermined access point is an access point whose encryption method is one of no encryption, WEP, and WPA. In this embodiment, these access points are also called access points corresponding to non-recommended protocols. The predetermined access point is not limited to an access point whose encryption method is one of no encryption, WEP, and WPA. As described in the first embodiment, in this embodiment, the encryption protocol is specified according to the current situation, but the specific non-recommended encryption protocol will be updated according to future analysis and evolution of the encryption protocol. Therefore, the predetermined access point may be an access point with a relatively low security setting among the settings related to the corresponding encryption process. The relatively low security setting may be an access point with a setting for performing unencrypted wireless communication or wireless communication using a predetermined protocol.
[0053] In this embodiment, only a warning is issued and selection is possible, but other configurations may be used as long as the display control is for suppressing the user from selecting a specific access point. For example, the access point may be made unselectable. The warning may be issued not only by an icon, but also by a statement that the protocol is non-recommended. Alternatively, the options for access points corresponding to non-recommended cryptographic protocols may be hidden.
[0054] 9, a process of specifying access point list information to be displayed on access point selection screen 801 by MFP 100 will be described. All the processes performed by MFP 100 in FIG. 9 are executed as calculation processes by CPU 201 after a program recorded in Flash ROM 211 is loaded into DRAM 202.
[0055] This flow starts when the operation control unit 301 detects a user's screen operation and displays an access point selection screen 801 on the operation unit 102. In S2001, the MFP 100 scans for access points. The wireless LAN device 210 receives radio signals emitted by surrounding wireless access points and identifies the SSID and security settings of the corresponding wireless access points by interpreting the radio signals.
[0056] In S2002, security verification control unit 309 determines that security notification is enabled. The value set by the user in setting 502 for not notifying deprecated protocol warnings for wireless LAN or setting 602 for not notifying deprecated protocol warnings for wireless LAN and stored in data storage unit 302 is read, and it is determined whether or not to notify. If the setting is to notify, processing in S2003 is performed, and if the setting is to not notify, processing in S2005 is performed.
[0057] In S2003, security verification control unit 309 determines whether the usage environment of MFP 100 is a predetermined environment. In this embodiment, the predetermined environment is an environment assumed for use in telecommuting. Note that the predetermined environment is not limited to an environment assumed for use in telecommuting. Other examples that fall under the predetermined environment are similar to those in the first embodiment, and therefore description thereof will be omitted.
[0058] The method of determination is to check whether the usage environment information selected on the recommended security settings screen 401 and stored in the data storage unit 302 is information indicating a home environment. As in the first embodiment, the method of determining the usage environment of the MFP 100 may be configured such that the network control unit 307 estimates the usage environment based on the tendency of packets being transmitted and received. If the usage environment of the MFP 100 is a home environment, S2004 is executed, and if not, S2005 is executed.
[0059] In S2004, MFP 100 marks the access point that supports the non-recommended protocol. If the encryption method included in the security settings for each access point identified in S2001 is no encryption, WEP, or WPA, the access point is identified as one that supports the non-recommended protocol. To explain this marking process in more detail, access point list data to be displayed to the user in later processing is generated and temporarily placed in DRAM 202. At that time, data indicating that the access point has been identified as one that supports the non-recommended protocol is stored as additional information for the access point.
[0060] In S2005, MFP 100 presents a list of access points on wireless access point selection screen 802. At this time, access points identified in S2004 as those compatible with non-recommended protocols are displayed together with a warning to call attention. Note that the display method is not limited to displaying together with a warning to call attention, and may be configured to display in a manner different from options that do not support non-recommended protocols. For example, options compatible with non-recommended protocols may be displayed in an unselectable state, or the options may be hidden.
[0061] In this embodiment, the predetermined access point marked in S2004 and displayed with a warning in S2005 is an access point that supports no encryption, WEP, and WPA, but is not limited to this. As described above, the predetermined access point may be an access point with a relatively low security setting among the settings related to the corresponding encryption process. The relatively low security setting may be an access point with a setting for unencrypted wireless communication or wireless communication using a predetermined protocol.
[0062] The above flow allows a user in a home environment to recognize security risks when selecting an access point after identifying the usage environment. In addition, for users in environments that do not require warnings, such as a company intranet environment, there is an effect of improving convenience by eliminating unnecessary notifications. Note that screens 501, 601, and S2002 can be omitted.
[0063] <Other embodiments> The present invention can also be realized by supplying a program that realizes one or more functions of each of the above-mentioned embodiments to a system or device via a network or a storage medium, and having one or more processors in a computer of the system or device read and execute the program. It can also be realized by a circuit (e.g., ASIC or FPGA) that realizes one or more functions. [Explanation of symbols]
[0064] 100 MFP 301 Operation control section 309 Security Verification Control Unit
Claims
1. An information processing device capable of wirelessly communicating with an external device, A reception unit for receiving a selection of one environment from a plurality of environments as a usage environment of the information processing device; a notification control means for notifying a warning regarding wireless communication settings when one of predetermined environments is selected by the reception means and a setting with a relatively low security level among settings related to encryption processing used for wireless communication is set in the information processing device, and for controlling not to notify the warning when the predetermined environment is not selected by the reception means; having The information processing device characterized in that the specified environment is at least one of an environment assuming use of the information processing device when working from home, an environment assuming use of the information processing device in a coworking space or shared office, and an environment assuming connection of the information processing device to a Wi-Fi hotspot.
2. the setting with a relatively low security strength is a setting for the information processing device to perform unencrypted wireless communication or wireless communication using a predetermined protocol, 2. The information processing apparatus according to claim 1, wherein the predetermined protocol is one of WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access).
3. The information processing device further includes a setting unit that sets a group of setting values associated with the environment selected by the receiving unit for a plurality of setting items of the information processing device, 2 . The information processing apparatus according to claim 1 , wherein the set of setting values does not include a setting value that corresponds to a setting related to the encryption process.
4. The information processing device further includes an estimation unit for estimating a usage environment of the information processing device, 2 . The information processing apparatus according to claim 1 , wherein the accepting means accepts a selection of the environment estimated by the estimating means as the selection of the one environment.
5. The device further includes a second receiving means for receiving an instruction not to notify the warning, The information processing device according to claim 1, characterized in that when the second receiving means receives the instruction, the notification control means controls the notification so as not to notify the warning even when the receiving means selects one of the specified environments and the relatively low security strength setting is set in the information processing device.
6. 2 . The information processing apparatus according to claim 1 , wherein the settings related to the encryption process include at least one of an authentication method, an encryption method, an encryption algorithm, and a key length.
7. 2. The information processing apparatus according to claim 1, wherein the notification control means issues the notification via an operation unit of the information processing apparatus or an operation unit of an external device.
8. The information processing device according to claim 1, further comprising a storage means for storing information that the relatively low security strength setting is set in the information processing device when the specified environment is selected by the reception means and the relatively low security strength setting is set in the information processing device.
9. 2 . The information processing apparatus according to claim 1 , wherein the information processing apparatus is an image processing apparatus including at least one of a scanner and a printer, and executes processing related to at least one of the scanner and the printer with the external device by using the wireless communication.
10. An estimation means for estimating a usage environment of the information processing device; a first notification means for notifying a security risk level of the environment based on the environment estimated by the estimation means; The information processing apparatus according to claim 1 , further comprising:
11. An estimation means for estimating a usage environment of the information processing device; a second notification means for notifying the user when the environment estimated by the estimation means has changed; and The information processing device according to claim 1, characterized in that the second notification means notifies the user based on the estimation made by the estimation means when the SSID of the wireless access point to be connected or the physical address of the gateway to be connected has changed, even if the environment estimated by the estimation means has not changed.
12. An estimation means for estimating a usage environment of the information processing device; a second notification means for notifying the user when the environment estimated by the estimation means has changed; and The information processing device according to claim 1, characterized in that, when no environment is selected by the receiving means, the second notification means issues a notification based on the estimation by the estimation means even when the environment estimated by the estimation means has not changed.
13. An information processing device capable of wirelessly communicating with an external device, A reception unit for receiving a selection of one environment from a plurality of environments as a usage environment of the information processing device; providing means for providing a screen for accepting a selection of an access point by a user in order to perform the wireless communication; a display control means for controlling, when one of predetermined environments is selected by the reception means, to display on the screen a display for suppressing selection of a predetermined access point; having The predetermined environment is at least one of an environment assuming use of the information processing device in telecommuting, an environment assuming use of the information processing device in a coworking space or a shared office, and an environment assuming connection of the information processing device to a Wi-Fi hotspot; The information processing device, wherein the predetermined access point has a setting with a relatively low security level among settings related to encryption processing of wireless communication corresponding to the access point.
14. The information processing device according to claim 13, characterized in that the display control means, as a display for suppressing the selection of the specified access point, hides an option corresponding to the specified access point, displays the option but makes it unselectable, or displays the option together with a warning.
15. A method for controlling an information processing device capable of wirelessly communicating with an external device, comprising: a receiving step of receiving a selection of one environment from a plurality of environments as the usage environment of the information processing device; a notification control step of notifying a warning regarding wireless communication settings when one of predetermined environments is selected in the receiving step and a setting with a relatively low security strength among settings related to encryption processing used for wireless communication is set in the information processing device, and controlling not to notify the warning when the predetermined environment is not selected in the receiving step; having A control method characterized in that the specified environment is at least one of an environment assuming use of the information processing device when working from home, an environment assuming use of the information processing device in a coworking space or shared office, and an environment assuming connection of the information processing device to a Wi-Fi hotspot.
16. A method for controlling an information processing device capable of wirelessly communicating with an external device, comprising: a receiving step of receiving a selection of one environment from a plurality of environments as the usage environment of the information processing device; a providing step of providing a screen for accepting a selection of an access point by a user in order to perform the wireless communication; a display control step of controlling, when one of the predetermined environments is selected in the reception step, to perform a display on the screen for suppressing selection of a predetermined access point; having The predetermined environment is at least one of an environment assuming use of the information processing device in telecommuting, an environment assuming use of the information processing device in a coworking space or a shared office, and an environment assuming connection of the information processing device to a Wi-Fi hotspot; A control method, characterized in that the specified access point has a setting with a relatively low security strength among settings related to encryption processing of wireless communication corresponding to the access point.
17. A program for causing a computer to execute the control method according to claim 15 or 16.