Written by: Andrew Connnely
When technology users or even IT professionals think of security vulnerabilities, their first thoughts immediately focus on the networks or computers; which are the most commonly impacted components of a modern workplace. Anyone watching or reading the news has no doubt heard about hackers gaining access to enterprise networks and wreaking havoc by deploying malware or stealing sensitive information. Because the spotlight is on these elements of today’s office-tech, it’s easy to overlook the unassuming and glamorous printer, parked in an out-of-the-way corner of the office. But believe it or not, the world has changed and now printers are security threats too.
Not too long ago, printers would never have been considered a threat. They connected to serial, then USB, then networks, and performed a single function quite well. Most of the time, workers don’t even give a second thought to their printers except for the several minutes each day when they come alive to quickly serve up our print jobs (or when they stop working!). Along with the rest of the world of technology, printers evolved into always-connected devices that more-closely resemble computers than printers. Because of this innovation, printers now have more features, but also more vulnerabilities.
The modern printer can be loosely classified as a device the falls within the scope of “The Internet of Things” (IoT). These “things” usually perform specific tasks, powered by lightweight software running on purpose-built computer hardware. Almost always, the requirements dictate that these “things” be able to communicate across networks to share sensor data, provide local functionality to remote users, or in our case, print, scan, and fax. Like all other IoT devices, without a network connection, printers are only good for weighing down the paper they contain in their trays.
Researchers have been probing printers for weaknesses for years, but since new printers and printing technologies are released all the time, there are always new flaws to discover. A security research team recently uncovered a number of vulnerabilities in top printer brands like Brother, Xerox, Ricoh, Kyocera, and Lexmark.
The report from August 2019 stated that the researchers first looked for similarities between all the printers so they could test their attacks on the most printers at once. They looked for common “attack surfaces” that all these printers shared:
Protocols: Protocols are the languages or rules that printers all share. These protocols dictate the foundations upon which the printers communicate; that is, how they receive and send information across networks to and from users of those printers. Examples are Internet Printing Protocol (IPP).
Services:
Services are the features that the printers stand ready to deliver to users – scanning to network folders, or printing from email are popular services.
Implementations: This category deals with how printers use printer-specific Protocols like IPP combined with other technologies to deliver both printing and configuration services to users and administrators. One example might be Apple’s Bonjour, which allows a user to quickly configure a network printer on a MacOS computer using a set of technologies called Zero-Configuration Networking (or zeroconf).
The vulnerabilities found by researchers ranged in number and severity for each printer manufacturer. Some manufacturers, like those not mentioned, clearly had employed secure combinations of hardware and software technologies (like the protocols mentioned above). Others, faired well, like Brother, with only 3 vulnerabilities discovered. Unfortunately, it got pretty ugly from here.
Xerox: 8 vulnerabilities
Lexmark: 9 vulnerabilities
Ricoh: 12+ vulnerabilities Kyocera: 12+ vulnerabilities
Brief descriptions of some of these security flaws are as follows:
Denial of Service (DoS) Weaknesses: DoS attacks mean that an attacker seeks to prevent the user from operating the equipment as normal. In this case, the researchers found that by attacking the networking management functions of the printer (Simple Network Management Protocol, or SNMP), the printer would stop working until the attack ceased.
Information Disclosure Vulnerability: Attackers were able to send what are essentially crafted bad-requests to a printer to force it to leak important information. This information usually has to do with cryptographic “keys”, which are the codes to unlock encrypted data sent over a network. When sensitive data is encrypted and sent over a network, only the devices or users with these keys can unlock and read it. If someone steals the key from, say, a printer, then any sensitive data going to or coming from that printer can be deciphered.
Buffer Overflows: With this type of attack, the researchers “overflowed” the printer memory by flooding it with useless data, causing the printer to either stop functioning or become weakened to the point that attackers could then carry out a more serious exploit. The vector of attack was usually through a printers web interface (or the “page” used to manage printer settings in a browser); often exploiting services like Google Cloud Print and IPP. This exploit was typically the gateway that allowed the researchers to carry out the next attack mentioned.
Cross-Site Scripting (XSS): XSS uses “scripts”, or lines of code that run automatically, and inject them into a web application (in this case, a printer). When a user (who’s computer trusts the application ) accesses that application (a printer), the scripts run automatically, often causeing the users computer to perform a malicious function. These “functions” could be anything, like downloading a small piece of code or software that gave the attacker access to the rest of the network and allowed them to persistently stay on the network looking for other, more-sensitive systems to exploit (like computers and servers).
Enterprise quality printers usually check for “valid” requests, and if a script is running the that printer doesn’t recognize, it blocks it. Sadly, the four worst brands lacked the security to prevent these scripts from running.
Cross-Site Request Forgery (CSRF):
Another malicious exploit, similar to XSS, where unauthorized commands are forced to “run” from the users computer. Since this user is trusted by the web application, the application executes those commands without question. CSRF is the opposite of XSS since, in this case, the printer trusts the user (who contains the forgery) and is exploited because of it. In XSS, the user trusts the printer (who contains the script) and is exploited because of it.
If your head is spinning, don’t worry. The average user doesn’t need to know how to defend against XSS or DoS attacks. Most of the time, the printer and computer security components do this for you. But don’t let that lull you into a false sense of safety. The most important take-aways are as follows:
Buy a high-quality printer from one of the top manufacturers:
Brands like HP, Canon, and Epson did extremely well and were barely mentioned in the report. This doesn’t mean that they are bulletproof, but these companies make printers specifically for the enterprise space, so security is designed into the product from the beginning. It’s worth noting that all vulnerabilities found by researchers were patched, but it speaks to the quality of HP and Canon that they didn’t need any patches in the first place.
Always Update Printer Firmware & Software: Regardless of planning, there are always variables in a quickly-changing threat landscape. As mentioned above, printers are often overlooked, but do in fact receive frequent firmware updates, just like computers. You should expect that your IT department or MSP will regularly perform routine maintenance on your printers, just like they should be performing on your computing and networking infrastructure.
Network Security Can Mean Printing Security: Because printers can now be considered IoT devices, they can be secured just like any other network device. Your IT team can quickly secure your network, it’s devices, and the services provided on it – thus, also protecting your printers.
As always, stay vigilant and well-informed, and often, you will find yourself keeping up with emerging threats.