The office printer: a weak link in your security regime?
First published by Strategic Risk.
“First, I got control of their printers. Then, I got control of their network. Then, I got control of their data... Along with everything else I’ve stolen from this place, these guys are in for a really bad day.”
That’s an excerpt from a short film produced by HP starring Christian Slater as “The Wolf.” In it, The Wolf shows how the humble office printer – the original “thing” in the “Internet of things” (IoT) – can be a security threat that is often not so difficult to breach.
Walk right in
Most printers today are connected via Wi-Fi. And in many printers, the Wi-Fi connection is open by default. Which is like parking your Ferrari in a garage, then adding a neon sign outside telling everyone where it is. And that it is unlocked. And the keys are in the glovebox.
Sound like hyperbole?
A program called Shodan was released in 2009. It was designed to search for devices linked to the internet, and, in particular, ones with security flaws. Shodan also gained notable attention after it emerged the program could be used to locate vulnerable webcams, meaning hackers could access video feeds with the device owners completely unaware.
More recently, researchers in Singapore developed two mobile phone apps based on Shodan that also scan for open Wi-Fi devices. Printers are a prime target. The idea is to attach a smartphone loaded with one of the apps to a drone and hover outside office buildings looking for open Wi-Fi connections.
Unfortunately, the message doesn’t appear to have got through.
One version, called the Cybersecurity Patrol, is friendly. When an open printer is located, the app creates a fake access point and sends a warning message to the printer alerting the company to the vulnerability.
With the less friendly version, the fake access point can be used to intercept documents intended for the printer. These documents – which could include confidential or proprietary information – could then be re-directed by the phone’s 3G or 4G connection to a hacker’s Dropbox account. And once they’re downloaded, the app can let the documents go through to the “real” printer so that no one is even aware that a hacker has penetrated the company’s defences.
While data taken directly from a printer or photocopier is concerning, hackers can also use a printer to gain access to a company’s entire file server. By using the compromised device as a stepping stone, cyber criminals are in a position to install malware on the company’s network that can engage in all sorts of mischief including information exfiltration, or making your network part of a botnet for a DDoS (distributed denial of service) attack!
Unsecured Wi-Fi networks aren’t the only way printers can access a company’s systems and, in turn, its data.
Like any device with a reasonable degree of processing power, printers and photocopiers include hard drives capable of storing large volumes of information. In practical terms, this usually means anything that is scanned on the device will be stored there as well. And few companies make an effort to delete sensitive material stored on a device’s internal hard drive.
Also, although a printer’s hard drive may be protected by some level of encryption, the protocols are usually much less robust than those for network servers and PCs; that’s another reason printers are attractive to cyber criminals.
In 2010, for example, a US-based health business was fined USD 1.2 million by the federal government, after leaving the private health information of roughly 344,000 customers on the hard drives of leased copy machines.
Sound the alarm
While the ways printers can be used as a gateway for hackers are well-known, the security threats are often overlooked.
In 2012, Columbia University’s aptly named “Intrusion Detection System Library” sought to highlight the magnitude of this exposure. In that project, researchers hacked a major retail printer line by using the device’s remote firmware to install harmful malware onto the machines. The group later reported that some devices were still using firmware dating back as far as 1992. Other researchers have sought to highlight the weakness in more creative ways. In 2014 a researcher from “Context Information Security” even managed to run the early ‘90s computer game, Doom, on a household brand of printer.
Unfortunately, the message doesn’t appear to have got through.
A 2015 study by The Ponemon Institute, for instance, found that 56 percent of enterprise businesses did not include office printers in their security reviews. What’s even more remarkable about this statistic is that fully 60 percent had experienced a data breach involving printers, and these took 46 days on average to resolve.
Moreover, another study by HP in 2016 revealed that just 18 percent of the respondents were concerned about printer security; in comparison, 91 percent reported being concerned about the security of their PCs.
Recognizing the threat
Safeguarding a printer from hackers is not overly challenging and often involves basic, common sense measures. The greatest hurdle is often simply ensuring that network printers are included within cyber security programs.
Security experts recommend that companies buy only devices with built-in security features like detection software. While more and more printer models today come with enhanced security measures, there are still many models with no built-in security.
Another is to spend some time taking an overview of all the devices connected to your network. Armed with a comprehensive inventory, security teams can disconnect devices that don’t require an Internet connection and take appropriate precautions with those that do; one option for the latter is to swap a wireless connection for a wired one, wherever possible.
Also, default passwords should always be changed when adding a new device to a company’s infrastructure. While this is done routinely for PCs, peripherals like printers, air-con machines or CCTV cameras are often operating with the default admin passwords provided by the manufacturer.
Finally, as with all cyber risks, it’s important to acknowledge that security technology can only go so far. Organizations can have state-of-the-art security systems/processes in place, but reducing the threats still comes down to the people who are using those tools.
About the author:
James Tuplin is XL Catlin's Head of Cyber, Technology, Media & Telecoms for International regions. He can be reached at: firstname.lastname@example.org