By Sean Hope
Director of Managed Print Services
Historically printers have not been much of a consideration in most organizations’ cyber security strategies, but that is exactly what has made them an attractive attack vector for hackers. In the past, the basic assumption was that a secure firewall was the extent of what is necessary to keep printers secure, but that is no longer sufficient because “the bad guys” know that these are soft targets sitting on corporate networks.
In fact, in 2019 Microsoft issued a warning that a “known adversary” was engaged in a widespread campaign targeting printers and other IoT devices. This announcement came just as researchers from the NCC Group shared findings at the DEF CON 2019 convention that demonstrated how printers could be exploited remotely despite being “safely” behind a corporate firewall.
Why would someone hack a printer?
The motivation isn’t necessarily to hack the printer itself, but instead, the printer serves as a point of ingress to gain a foothold on the network. From there a hacker can move laterally within the network, connect to other devices, execute malware, and/or steal valuable information such as login credentials without being detected. Legitimate stolen login credentials were cited in a joint statement by US & UK intelligence services as a key tool in the execution of a widespread ransomware attack this summer. They attributed the campaign to the same group that Microsoft had previously warned was targeting printers. The intelligence-gathering activities were described as still active and ongoing since at least 2019 making the timeline consistent with their printer hacking campaign.
Are there significant security feature differences in various makes/models of printers?
Every manufacturer is at least giving lip service to security on their marketing collaterals today, but there are vast differences in actual features. These differences are not just from one manufacturer to the next, but they can also vary from one product family to the next. An example of this is HP’s “Pro” and “Enterprise” series.
While the Pro series has a solid set of security features including whitelisting, the Enterprise series provides enhanced protections with anti-virus-style tools that actively monitor for anomalous activities in the device’s memory and network connection. They can even “self-heal” when an issue is detected.
To make an analogy we can compare printer security to home security. One model may allow you to lock all the doors to the house and maybe even check the locks when you get home (or reboot your printer and validate firmware via whitelisting). However, another model does all that plus it acts as an active alarm system with motion detectors that can proactively alert the authorities of an intrusion in the home while simultaneously removing the intruder and repairing any damage. The interesting piece to note here is that these high-end security features that would make life tough on Tom Cruise and the Mission Impossible team are no longer exclusive to pricey models. The fact that higher-priced printers are typically less costly to operate means that the models that offer the most protection will often be more cost-effective over their lifetime as well.
What can I do to enhance my printer security?
Take stock of the technology that makes up your current printer fleet. What type of built-in security features do these network endpoints have? Are your printers up to date with firmware patches? Manufacturers issue firmware updates to patch vulnerabilities after they are identified, but unpatched devices simply represent ripe targets for attackers. Understand that older technology is problematic on two fronts. For one, whatever security features an old device was designed with are outdated simply by the nature of being older technology. Two, manufacturers do not support models forever which means patches cease to be published. In much the same way that everyone still using Windows 7 had to upgrade last year when Microsoft stopped supporting it, printers should be retired once the manufacturer stops supporting it.
Criminals have been increasingly leveraging supply chain vulnerabilities to get inside networks and printers are not immune to these threats. For example, last year researchers found a component in a common TCP/IP connector that had serious vulnerabilities (dubbed “RIPPLE20”). This component is believed to be in millions of IoT devices including printers. It is so widespread that one manufacturer-issued patch for 100 different models.
With that in mind, it is important to understand the unique challenge that printers have in this regard. Every ink or toner cartridge has a chip in it that allows it to communicate with the printer. So, every time you put a new cartridge into a printer you are introducing an outside chip into a network endpoint. For those who scour the internet looking for the cheapest compatible cartridge, it may be worth pausing to consider where that cartridge is coming from as well as whether your printer’s security features would protect you if a chip has been compromised.
Above all else…make a plan.
Incorporate printers into your cybersecurity strategy. That could mean developing a patching process, replacing printers with new technology, or simply retiring some devices without replacing them. Having vulnerable printers does not necessarily mean the house is on fire, but if you choose to ignore it you have to be honest with yourself about that choice. As the old song lyric states, “if you choose not to decide you still have made a choice.”
