Think that printer in the corner isn’t a threat? Think again

Sitting in the corner, sometimes collecting dust, is an overlooked attack surface

They sit off in the corner, some of them collecting dust. Yet, a printer is a legitimate attack surface. Many companies don’t bother to update the firmware on older models, or don’t include every model in a security audit (such as the one in the CEO’s office everyone forgot about), or the organization assumes a hacker won’t bother with an Epson or HP that is barely even connected to Wi-Fi.

Interestingly enough, because a printer is so innocuous and seemingly harmless, that’s the exact reason it poses a threat, according to the security analysts who talked to CSO about this issue. Sometimes, the best attack vector for an attacker is the one no one bothers to think about. However, a recent IDC survey found that 35 percent of all security breaches in offices were traced back to an unsecured printer or multi-function device, costing companies $133,800 each year.

Why the threat is serious

As with any vulnerability, a printer fits into that category of “fringe” devices you might not consider. Enterprise security tools protect networks and laptops; they often do not block access from a printer that is outdated and runs the original firmware that shipped with the product.

[ RELATED: Exposed HP LaserJet printers offer Anonymous FTP to the public ]

“Printers at first may seem like a benign issue, however you have to remember that they are mini-computers,” says Chris Vickery, a white hat hacker and Security Researcher at MacKeeper. “Getting control of a printer within an organization can provide a foothold for further attacks and a position to ‘pivot’ out of into networks.”

The most serious threat has to do with an attacker gaining access to the network through the printer. Other issues include capturing every document sent to the printer, which could be a serious business intelligence compromise. Vickery said another recent incident involved sending a white supremacist document to thousands printers that did not block a specific port.

Chris Vickery, a white hat hacker and Security Researcher at MacKeeper

Arianna Valentini, a security researcher with IDC, said that apart from the actual hacks into the printer itself, another security concern has to do with documents left unattended. Many older models do not use any security related to only printing when someone enters a password at the device itself. Corporate users tend to print and forget the documents. This makes it all too easy for a thief to steal the documents, digitize them, and sell company secrets.

Vickery says this problem arose partly due to neglect (printers sitting idle in a corner) and partly due to how the printer companies failed to protect the devices. He says one of the biggest innovations in printer security was in using password protections on printers by default (that is, the devices are shipped with passwords enabled). That doesn’t help with the millions of older models that still rely on the default firmware that do not use passwords, however.

Lawrence Pingree, a security researcher at Gartner, says printers pose one additional threat. An organization in the healthcare or finance sectors, where regulatory compliance is required, a printer is also subject to any inquiries – it poses a compliance risk just as much as a laptop.

The experts all said the printer security issue is not brand specific. There is a widespread problem of older printers from Canon, Xerox, HP, and many others that merely use the default firmware or don’t use any password protection for print jobs, and yet are attached to corporate networks, either through a LAN connection or over Wi-Fi.

Vickery did mention there have been reports of printer security issues with HP models, but that may have more to do with the popularity of that brand. As a result, HP has also stepped up their security, according to Pingree, mostly as a response to the potential for hacking.

[ MORE: Cloud Printers Rain on Security Parade ]

Vickery says there is a new vulnerability related to Ricoh printers. He says every Ricoh printer has a backdoor admin account. To use this account, you login as supervisor with no password. At this point, you can then change the main admin password. Once you have access to the admin account, you can then change the firmware and potentially install a Trojan firmware.

Printer security tips

It’s too easy to suggest one ultimate security tip: Replace outdated printers with newer models that have protection – which would be a nice boon for printer companies. Yet, the technology in recent models has advanced to the point where it is worth considering.

Valentini says new innovations have come just in the past six months. For example, the latest HP PageWide models use a new tech called Sure Start that detects whether the printer is booting using the correct BIOS. An HP Whitelisting feature also checks to make sure the firmware has not been hacked.

Also, Xerox introduced a new feature in March of 2016 that uses encryption for all printing and scanning. Another new feature automatically deletes print jobs at power up, which reduces the likelihood that a hacker could attack a printer that is storing old print jobs.

“We expect to continue to see more product releases from printer manufactures and software vendors who are taking steps to better help organizations enable a secure print environment,” says Valentini.

Pingree adds, other than using some of these innovations, it’s important to see a printer for what it is – another server that is running an operating system and is open to attack. This means securing it just like any other endpoint and treating it as a vulnerability.

He also said it is fairly easy to overlook a common problem; it’s usually the IT admins who configure printers, and they might do so using their own credentials, potentially exposing their access privileges. An attacker could conceivably tap in and steal them.

In the end, there are too many options for attack – loading an unauthorized firmware, capturing data from print jobs, or even stealing forgotten docs in the print tray. It’s important to address any possible scenarios, even if the printer then resumes collecting dust.

Join the CSO newsletter!

Error: Please check your email address.

Tags HP

More about CanonCSOEpsonGartnerHPLANXerox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts