Network printers – an overlooked security threat

Printers are an often neglected component in network security defences. With their increasing complexity, internet connection, random access memory (RAM), integrated disk drives, and multi-functionality, network printers are a potential security vulnerability that deserves attention. Unlike with other data storage devices in the network, there are very limited security controls that exist for printers.

Network printers are used to print, scan, copy or fax documents, often containing sensitive information. During this operation and while the task is in the queue, the data is unencrypted and vulnerable. As the printer is on a network these sensitive documents are open to security threats. Printer vulnerabilities leave sensitive data open to identity theft and corporate espionage.

Many multi-function printers incorporate a hard disk drive that records and stores data. Residual data remaining on the disk after printing, scanning, copying, or faxing, also comprises a security risk. It could be harvested through malware on the network, or when the device is decommissioned as when the Buffalo, NY police department sold off their old printer hardware which had sensitive information residing on the hard drives.

There are 30 million printers in the US and Western Europe, most connected to a network. A recent search showed 86,000 publicly-accessible HP printers.

A vulnerability in HP LaserJet printers enables a remote hacker to remotely gain access to sensitive data by connecting to the telnet debug shell. Columbia University researches showed they were able to rewrite a HP LaserJet printer’s firmware and even cause it to catch fire.

Once infected with malware, the printer can send confidential documents in the printer queue to a remote hacker. An infected printer can also be used as a beachhead to attack PCs on the network. In addition, it is possible for the infected printer to block future firmware updates, thus ensuring the infection is never fixed.

Exploits have been uncovered in HP JetDirect software, used by many printer manufacturers (e.g. Canon, Lexmark, Samsung, Xerox). JetDirect is used to connect the printer to a network.

The firmware of Samsung printers (including some branded as Dell) contains backdoor administrator access. Malicious attackers could potentially gain access to sensitive material printed on the printer through the default password which allows the attacker to take over the printer through the Simple Network Management Protocol (SNMP).

A major threat to organisations today is from Advanced Persistent Threats (APTs). Network printers provide a potential point of access for these complex attacks. For example, malware on an Android device could spread through a cloud print command to the network printer. Once in the network printer the malware could send copies of all documents printed, copied, scanned or faxed, to a remote attacker. Or the malware could spread further within the network, having bypassed firewalls and intrusion detection controls.

The network printer deserves close attention during a security review.
1. Only allow connections from trusted hosts and networks
2. Ensure that the printer firmware is regularly updated
3. Use digital rights management tools to control access to sensitive documents
4. Change the default printer password.

2 thoughts on “Network printers – an overlooked security threat

  1. Paul D. Porter April 1, 2013 at 4:54 pm Reply

    AMEN!

  2. Don Turnblade April 1, 2013 at 6:24 pm Reply

    Hostile firmware update compilers exist for HP printers. Leaving the Admin password in its vendor default state presents a huge opportunity for Advanced Persistent Threats. Since normal white-hat testing is not allowed to crash servers, reports of clear-text passwords on printers is all the notice a firm may have.

    When the printer is not currently printing checks or sensitive data, it gets over looked. When the sensitivity of the printer changes, does the security posture change to match? How do you know it did? Who is responsible if a gap occurred? Does the hacker care if this step got skipped and disorganization rules the day?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: