Our article from last year about the threat posed by network printers was a good introduction to the idea that a common and seemingly innocent device can be exploited. Since then, there have been additional vulnerabilities and new attempts to use printers as a source of network attacks, so it is time to return to this topic with additional warnings.
Perhaps the biggest recent exploit is one that can be found in Lexmark models. Security researchers last December were able to enumerate more than a thousand different printers online that had no passwords whatsoever used to secure them. The attack is dirt simple: once you find the printer’s IP address, you connect to its webserver and within a few seconds can choose your own password. Once that is done, you can install your own exploit software and wreak all sorts of havoc. Lexmark, when contacted by reporters, claimed this was a feature and not a bug, as it gave its customers flexibility in setting up their printers. I think otherwise, and suggest you fix this post-haste.
Unfortunately, Lexmark is by no means alone in this department. Other security researchers in Germany have discovered all sorts of vulnerabilities in many different vendors’ printers, including HP, Lexmark, Dell, Brother, Konica and Samsung. A total of more than 60,000 individual devices may be at risk to a variety of issues, including password tampering, buffer overflows, and remote code execution. To help understand the depth of their analysis, they created a set of tools called the Printer Exploitation Toolkit which can be used to launch the attacks against these vulnerabilities, so you can assess your own portfolio of printers.
You might complain that developing such a tool can only make printers more of a potential threat if the tool is used by evildoers. Perhaps, but let’s hope its creation can help remove the vulnerable printers from the exploit column.
Why are network printers still an issue? One reason has to do with how printers are purchased by many businesses. “Ownership is [a] factor,” says Ed Wingate, vice president and general manager of JetAdvantage Solutions at HP and quoted in this article about the situation. “Printers are shared devices, and it's often unclear whether they belong to IT, facilities, or the team responsible for purchasing them. This leads to ambiguity over who should control the security of each device," he says. Maybe so, but it is ultimately IT’s responsibility, no matter who brings them in the door.
Another reason has to do not with the printer itself but vulnerabilities in how Windows looks for printers across the network. It has to do with how printer drivers are installed on Windows computers, and how attackers can abuse the privileges connected to these drivers. Back in 2016, researchers found a watering-hole attack that was eventually patched. The researchers wrote in this blog post, “These devices can be hard to patch, hard to monitor and can quickly become a persistent blind-spot for security operations. This is a good reason to monitor all of your internal traffic regardless of the device type.”
Some printer vendors are taking security more seriously, and certainly HP has tried to get their own printers under control in the past several years. You should download their white paper which describes numerous vulnerabilities and how to protect your printers. The paper also has a handy guide to which of their printer models support which of the security features mentioned. Other vendors should follow their lead and produce similar documents.
Clearly, we still have a long way to go before we can assume that all of our network printers are free of abuse from hackers. But as the paperless office is never going to happen, we will always have need for printers, and that means we have to spend some effort in securing them better.
To learn how you can protect your organization from threats on your network read the whitepaper “Secure Web Gateway as a Service: Simplifying the Path to Network Security”
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.