Think that printer in the corner isn’t a threat Think again

03.05.2016
They sit off in the corner, some of them collecting dust. Yet, a printer is a legitimate attack surface. Many companies don’t bother to update the firmware on older models, or don’t include every model in a security audit (such as the one in the CEO’s office everyone forgot about), or the organization assumes a hacker won’t bother with an Epson or HP that is barely even connected to Wi-Fi.

Interestingly enough, because a printer is so innocuous and seemingly harmless, that’s the exact reason it poses a threat, according to the security analysts who talked to CSO about this issue. Sometimes, the best attack vector for an attacker is the one no one bothers to think about. However, a recent IDC survey found that 35 percent of all security breaches in offices were traced back to an unsecured printer or multi-function device, costing companies $133,800 each year.

As with any vulnerability, a printer fits into that category of “fringe” devices you might not consider. Enterprise security tools protect networks and laptops; they often do not block access from a printer that is outdated and runs the original firmware that shipped with the product.

[ RELATED: Exposed HP LaserJet printers offer Anonymous FTP to the public ]

“Printers at first may seem like a benign issue, however you have to remember that they are mini-computers,” says Chris Vickery, a white hat hacker and Security Researcher at MacKeeper. “Getting control of a printer within an organization can provide a foothold for further attacks and a position to ‘pivot’ out of into networks.”

The most serious threat has to do with an attacker gaining access to the network through the printer. Other issues include capturing every document sent to the printer, which could be a serious business intelligence compromise. Vickery said another recent incident involved sending a white supremacist document to thousands printers that did not block a specific port.

Chris Vickery, a white hat hacker and Security Researcher at MacKeeper

Arianna Valentini, a security researcher with IDC, said that apart from the actual hacks into the printer itself, another security concern has to do with documents left unattended. Many older models do not use any security related to only printing when someone enters a password at the device itself. Corporate users tend to print and forget the documents. This makes it all too easy for a thief to steal the documents, digitize them, and sell company secrets.

Vickery says this problem arose partly due to neglect (printers sitting idle in a corner) and partly due to how the printer companies failed to protect the devices. He says one of the biggest innovations in printer security was in using password protections on printers by default (that is, the devices are shipped with passwords enabled). That doesn’t help with the millions of older models that still rely on the default firmware that do not use passwords, however.

Lawrence Pingree, a security researcher at Gartner, says printers pose one additional threat. An organization in the healthcare or finance sectors, where regulatory compliance is required, a printer is also subject to any inquiries – it poses a compliance risk just as much as a laptop.

The experts all said the printer security issue is not brand specific. There is a widespread problem of older printers from Canon, Xerox, HP, and many others that merely use the default firmware or don’t use any password protection for print jobs, and yet are attached to corporate networks, either through a LAN connection or over Wi-Fi.

Vickery did mention there have been reports of printer security issues with HP models, but that may have more to do with the popularity of that brand. As a result, HP has also stepped up their security, according to Pingree, mostly as a response to the potential for hacking.

[ MORE: Cloud Printers Rain on Security Parade ]

Vickery says there is a new vulnerability related to Ricoh printers. He says every Ricoh printer has a backdoor admin account. To use this account, you login as supervisor with no password. At this point, you can then change the main admin password. Once you have access to the admin account, you can then change the firmware and potentially install a Trojan firmware.

It’s too easy to suggest one ultimate security tip: Replace outdated printers with newer models that have protection – which would be a nice boon for printer companies. Yet, the technology in recent models has advanced to the point where it is worth considering.

Valentini says new innovations have come just in the past six months. For example, the latest HP PageWide models use a new tech called Sure Start that detects whether the printer is booting using the correct BIOS. An HP Whitelisting feature also checks to make sure the firmware has not been hacked.

Also, Xerox introduced a new feature in March of 2016 that uses encryption for all printing and scanning. Another new feature automatically deletes print jobs at power up, which reduces the likelihood that a hacker could attack a printer that is storing old print jobs.

“We expect to continue to see more product releases from printer manufactures and software vendors who are taking steps to better help organizations enable a secure print environment,” says Valentini.

Pingree adds, other than using some of these innovations, it’s important to see a printer for what it is – another server that is running an operating system and is open to attack. This means securing it just like any other endpoint and treating it as a vulnerability.

He also said it is fairly easy to overlook a common problem; it’s usually the IT admins who configure printers, and they might do so using their own credentials, potentially exposing their access privileges. An attacker could conceivably tap in and steal them.

In the end, there are too many options for attack – loading an unauthorized firmware, capturing data from print jobs, or even stealing forgotten docs in the print tray. It’s important to address any possible scenarios, even if the printer then resumes collecting dust.

(www.csoonline.com)

John Brandon