Don’t forget the peripherals: why printers are a continued security risk
Last week, security researchers revealed a staggering 35 vulnerabilities in printers from six household name brands. It highlighted the continued threat to organizations from their PC peripherals, and as printers become more powerful and connected, the risks will only increase. One 2017 study claimed that 61% of large enterprises had suffered at least one data breach through insecure printing.
The key for organizations is to start thinking about their printers as computing devices in their own right. As such, they need continuous monitoring, updating and protecting just as any other endpoint would. The alternative is a security blind spot that could put enterprise data and mission-critical IT systems at risk.
The problem with printers
The research, revealed by NCC Group at security conference DEF CON in Las Vegas, listed problems with printers produced by six well-known manufacturers: HP, Kyocera, Brother, Ricoh, Xerox, and Lexmark. Some of the vulnerabilities it found were incredibly straightforward, requiring just a few minutes to discover with “basic” computing tools dating back 30 years, the firm claimed. These included:
- Buffer overflow vulnerabilities
- Cross-site scripting
- Denial of service
- Information disclosure
- Lack of cross-site request forgery countermeasures
- Hard-coded credentials
- Broken access controls
- No account lock
Some of the flaws could allow attackers to crash a device, or even worse, execute arbitrary code remotely. Depending on the device’s set-up and its access to the corporate network, this could be extremely bad news if it gives hackers a foothold into the organization.
The good news is that these flaws are being, or have been, fixed. IT admins are urged to patch immediately.
A brief history of threats
This isn’t the first time that printers have come under the scrutiny of security researchers. Most recently, Check Point warned in 2018 of two vulnerabilities in HP all-in-one printers which could enable hackers to attack corporate networks simply by sending a specially crafted fax.
That same year, an unnamed hacker hijacked tens of thousands of printing devices exposed to the internet via port 9100. In the end, that individual did nothing more serious than forcing the printers to print out a message in support of a popular YouTube celebrity. But with an estimated 800,000 devices similarly exposed, it could have been much worse.
Why printers are vulnerable
As they have evolved from standalone, dumb devices to connected, high-powered smart technology, researchers have warned of the potential shortcomings of printers and multi-function devices (MFDs).
These include:
- On-board storage which could be hacked to steal highly sensitive corporate documents
- BIOS and firmware which could be exploited as part of a remote attack on the corporate network
- Network printer traffic could be monitored by hackers, who may even be able to intercept documents sent from PC to printer
- Open network ports 9100, 515, and 721–731 provide yet another attack vector
It only takes one
It goes without saying that even a single vulnerable printer could have major repercussions for the organization if hackers successfully target it. The impact of such a security breach could include:
- Regulatory fines
- Lost customers
- Brand damage
- Declining share price
- Lost competitive advantage
- Costs associated with investigating and recovering from the incident
Time to act
Fortunately, there’s plenty organizations can do to ensure their printers and MFDs remain safe from attack. If they aren’t already, these devices must be included as part of any company-wide information security strategy. In fact, your entire printer fleet should have its own security policy, effectively enforced, to prove to regulators in the event of a breach that you haven’t ignored a major security risk.
After that, consider the following:
- Apply controls to limit and secure network access, including the use of protocols and ports
- Regularly apply firmware updates
- Secure the printer itself, for example by applying hard disk encryption to scramble any data in use
- Ensure any scan, print, copy and fax data is removed from the hard drive in the event the device is disposed of or sold
- Add user authentication to ensure no documents are printed out and left in the tray for all to see
- Consider digital rights management (DRM) via watermarking or PDF encryption to further discourage the unauthorized copying of sensitive information
- Find a way to monitor printer usage across all company devices, down to the user level. This will help to support compliance efforts and aid investigators in the event of unauthorized access
If you work in a small business with limited resources to throw at such a problem, it may be worth looking for third-party help by investing in a managed print service (MPS). These can audit your printing infrastructure for any security deficiencies and keep it up-to-date to minimize risk going forward. However, this will require some due diligence upfront to ensure you go with the right MPS package.
