Could you be hacked by your printer?
- 20 December, 2019 08:30
You have a very secure environment, you have the latest firewalls which have been configured well, you have really good network segregation and you have the latest in endpoint detection and response platforms with a well-configured siem platform. You even have a patch management system that is making sure that your systems are all up to date and not vulnerable to any known threats or vulnerabilities. Wow, you are really on top of this and are doing great at ensuring your systems are well protected and managed. Nice work, you should be quite happy with your progress but can I ask you a question? Did you put up 10-foot walls and secure your entire environment only to leave the back door unlocked and ajar for all to enter by port 9100?
Network printers are a huge part of most organisations and homes in many cases with direct internet-connected printers and Wi-Fi hotspot configurations to allow for simple\easy and reliable access to modern IoT printers. Yes, many printers are now connected to the internet especially home units as they are made to be accessible to users via mobile apps to help manage printing and enable direct printing capability for most non-technical users.
Printers in organisations wouldn't be connected to the internet though, would they? That doesn't sound correct? – That is what you are thinking right? This is only an issue for home setups, not my organisation? I just did a search for internet-connected printers in Shodan and the results were 30,532 with 318 available in Australia (There is also a whopping 8,910 available in the US). On the first page, I found two printers sitting on Australian university networks ripe for the picking. Seriously I am not even putting in any major effort to find this information and it is freely available to everyone. Admittedly universities are known to make printers available like this and in my opinion is a massive security risk that should be resolved.
So what you say, why do I care? What could someone do to a printer on my network except drop a million print jobs or put a print loop with a specific message like has been done recently from malicious actors saying that you have been hacked and to pay up via bitcoin? Yes, that is certainly one attack vector and I have seen it work very well surprisingly. That's not a concern for me though, just a pain in your side maybe, a bit of an inconvenience. My concern is this.
Let's say a malicious actor or even an internal actor wants to get all of the print jobs sent through to the finance printer or even HR? Could they manipulate a printer to collect copies of all documents that are sent to the printer? Yes, that is quite a simple attack that could be carried out against network printers if you are on the same network as the unit. This could be done for an external attacker by breaking into your organisation's Wi-Fi and then completing an attack on the printer using a tool called PRET. You can see an example of this being used here. The process is quite simple and very effective. You can imagine the level of data that could be captured by this process. Do you want to know what salary or bonuses that other staff get? Do you want to get personal information, this could be your perfect method to get it.
Denial of services and print job-stealing, in my opinion, is not of major risk to the organisation but is something that should be considered. It is possible to mitigate these attacks with traffic flow control that only allows access to printers via certain IP's or users but it will need to be determined if the risk is worth the elevated configuration requirements.
I think the real risk is the printer being used to attack systems on your network. Yes, that's right, it is possible to use network printers to attack other machines on your network and allow a malicious actor to take control of a workstation or server. I am not going to go through the technique as that is not what the article is about, I want to demonstrate to you all that network printers are a security blind spot and we don’t manage them well. We need to manage these as we do other network devices. Secure them first by not leaving default credentials (please at least do this – most don’t change them), update the firmware/software for the printers – these are used to patch vulnerabilities and is a great way to help reduce the attack surface. Don’t connect your printer to the internet if it is at all avoidable (please), this is an unnecessary risk that you don’t need. Don’t allow the printer to be used for unauthenticated SMTP email traffic, this could be how you get your latest malicious phishing email from someone pretending to be the finance manager. Only allow authenticated email communications and only allow them to be sent form authenticated users.
I know that in some instances it’s necessary to allow printers access to the internet but restrict the access and make sure you understand the risk, monitor access and be smart about how you allow it to be used. Otherwise, you may be on the morning news being the latest breach victim all because of that blind spot you call a network printer. Seriously network printers need to be considered as a risk and appropriate security controls put in place. Don't do the standard Aussie thing and say "it'll be right", plug the security holes, patch devices and let's all have a great start to the New Year?
Till next time…