Printers join fray in network vulnerability landscape

Printers are not the typical paths cybercriminals take into corporate networks. Nevertheless, the devices have become a concern among experts who see them as an ignored weakness in network defenses.

Andrew Howard, a U.K. mobile app developer, recently raised the issue of printer security by showing that a "quick, well-crafted Google search" could return 86,800 results for publicly accessible Hewlett-Packard printers.

"There are security concerns here, as many printer models have known exploits, which can be used as an entry point to a private network," Howard said in a blog post.Ã'Â

Earlier this month, Sebastian Guerrero, a researcher at viaForensics, found vulnerabilities in JetDirect that could be used to exploit HP printers. JetDirect technology is used to attach a printer to a local area network, so many people can access the device.

Guerrero said the vulnerabilities could enable someone to retrieve previously printed documents and to crash vulnerable printers.

HP advises customers to place printers behind a firewall and to provide network credentials only to trusted parties. "By following the HP recommended security features, printers should not be accessible to the public via the Internet," the company said in a statement.

[See also: HP bolsters security portfolio with proactive solutions]

Security flaws in printers have been reported before and experts have warned over the years that the devices pose a serious risk, because they are often overlooked.

Printers are not primary targets for hackers today, because of the success cybercriminals have had with attacking vulnerabilities in Web browsers, Microsoft Office or other software. In addition, the criminal underground online provides lots of tools for exploiting vulnerabilities in the PC.

"Criminals are just like water. They take the path of least resistance," said Andrew Hoog, chief investigative officer at viaForensics.

However, as corporations build better defenses to lock down these traditional pathways, printers could gain more attention, Hoog said. Because printer security is often ignored, the devices could by targeted more in stealth attacks conducted by people engaged in cyberespionage.

Steps corporations could take immediately to greatly boost printer security includes making sure the devices are not accessible through the Internet. In addition, companies need to check for firmware updates on a regular basis.

"These are two simple steps you can take that will mitigate most of your issues," Hoog said.

Read more about network security in CSOonline's Network Security section.

Tags: printer security, Google, applications, security, Data Protection | Network Security, software, data protection, Hewlett-Packard, HP

Today's Approach to Security is Broken

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Encryption

Robust data protection for PCs, smartphones, and removable media

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.