After talking about mobile phones as a threat to your organization we will today discuss yet another device widely in use and that too has the potential of being misused in a way that can compromise your organization. This device is generally seen as an innocent tool and few would consider any security implications that installing it might bring. I am talking about the printer.
Printers have advanced a lot in the last few years. Modern printers connect to your network to allow printing from anywhere, they come with additional functionality such as scanning, copying and faxing and they allow for comfortable configurations through web and ftp. However all this new functionality also opens the door for abuse.
Just like any other device that connects to the network and allows remote access Printers have their own authentication system. Different systems might have different authentication starting from the web interface down to the ftp and telnet interface of your printer. Like any brand new device these come preset with their default login and password. In some cases the password is blank and users will not be asked to authenticate until this is set. If the printer in question is installed by a user other than the |IT system administrator it is a safe bet that these will not be changed or set. Would you expect a non-IT person to configure a password for the printer’s telnet server when it’s very likely s/he doesn’t even know what telnet is? Of course not, they will just be interested into getting the printer up and running as quickly as possible.
Printer security risks
What can a malicious hacker do when gaining access to a printer?
Surprisingly the answer to this question is, a lot. This is especially true if your printer faces the internet.
The most obvious and basic risk is that the malicious person can print anything he wants remotely. Most modern network printers listen on port 9100 and anything that is dumped into that port gets printed without requiring any authentication. This means that if the printer is accessible from the internet and if there is no firewall rule to block that port anyone can start printing on your printer until it runs out of paper and toner/ink.
Capturing the password
When a password is set one is still not 100% safe. Some printers store this in the registry of any client accessing the printer but even worse some will happily send it over if you query their public community string SNMP data. SNMP, Simple Network Management Protocol is aimed at helping configuration of network devices and allows for data exchange. Any SNMP client can communicate with a device using this protocol and as such anyone who has an SNMP client can request the printer to send over the public data it has and it has been reported that some printers will include the password with this data.
Even if that fails most printers do not encrypt the login and password and as such they can easily be sniffed out by anyone on the same network segment.
Stealing Information and Documents
Some printers especially multi function ones tend to contain large storage spaces and they tend to store printed documents as well as received and sent faxes in them. Some of these will allow anyone access to these document through simple ftp access. This means if either no password or just a default password is used a malicious hacker can easily copy these documents. If the printer doesn’t store documents it will surely keep a log of the user name and document name that printed it. This information can be useful in a number of ways to a malicious hacker. First and foremost it will likely indicate the name of the person who printed the document since it will likely relate to the user name. It will also give hints from the document name as to what department this person works in. Armed with this knowledge the malicious hacker has enough ammunition to try and execute an effective social engineering attack on the company. The document filenames themselves might be valuable to hackers and more often than not these are a sort of summary to the whole document and might in themselves be valuable pieces of information.
It gets a little worse when you take into consideration the people who are on the same local network. Any person on the same network segment can capture the network traffic to the printer. Printers are trusting devices, print jobs do not limit themselves to a specific printer and if a captured printing payload is dumped into another printer it will happily print it out. This means that a disgruntled employee on the same segment as your financial team will be able to potentially get access to sensitive information that should be only available to that financial team.
Network printers are just like a small pc with their own services running. It is known that it’s possible to bounce off a network printer. Bouncing is the act of using a machine / device as a gateway for an attack. Vulnerable Printers are generally used for ftp bounce attacks. Most printers can also be used as a scanning bounce, a practice known as idle scanning or zombie scanning. Both these attack allow an attacker to launch an attack to another target and make it look like the attack is originating from the bouncing target. Since printers do not generally hold detailed logs it might not be possible to follow any trail to the real attacker.
Protecting your Printer
In order to protect the precious data sent to the printer, the best thing to do would be to connect the printer directly to the machine via USB. Don’t put the printer on the network unless you really need to. Connecting a printer directly on the internet is definitely to be avoided unless there is a really good reason for it and when this is unavoidable ensure that the printer is protected by a firewall which only allows access to the hosts that really need to use it.
Just like a PC a printer also needs to be up to date and scanned for vulnerabilities. Remember a printer is no different to a regular machine in most respects nowadays. It can suffer from the same issues and vendors do issue updates to fix these issues.
Finally do not take the installation of printers lightly. Installation should be done by staff that knows how to set up the printer properly and securely. It is very easy to hook up a printer but this is not enough. Default Passwords need to be changed and access limited to the people allowed to use the printer.
Since printers are so cheap nowadays there is the risk that some employee who might not have direct access to a printer might decide to buy one and install it himself, therefore I would also suggest that periodic audits of the network are done so that administrators can also detect any possible rogue printers that get connected to the network.