10:00 AM
Connect Directly

Printers: The Weak Link in Enterprise Security

Organizations frequently overlook printer security, leaving systems exposed to malware and theft. New tools aim to lessen the risk.

PC security has become a priority for security leaders following global ransomware attacks earlier this year. If they didn't before, everyone from CISOs to everyday consumers knows it's a bad idea to ignore security updates or use simple, breakable passwords.

This heightened awareness does not extend to printers, however, and hackers are exploiting poor printer security practices.

"Unlike PCs, where there's a full appreciation for the need to secure those devices, there's much less awareness to the need to secure print devices," says Ed Wingate, VP and GM for HP's JetAdvantage Solutions, noting that strong security practices for protecting PCs and other nodes on the network are not consistently deployed to printers.

Weak link in the IoT

Sam McLane, who runs the security engineering team at Arctic Wolf, says he is far less concerned about today's printers than about yesterday's printers. Many organizations, especially smaller ones, use printers around five to eight years old, and haven't updated them.

"Printers, specifically, have a much longer shelf life than any of the other IoT devices, and they were the earliest of the adopted devices," he explains. "People will run them into the ground and then some before they start replacing them."

This poses an especially big problem to small offices using consumer-grade devices, McLane continues. SMBs don't have the need or budget for high-end enterprise level printers, and make the mistake of sending corporate data into the cloud with lower levels of protection on a device meant to be in someone's house and not necessarily in a corporate environment.

"Someone could get into a computer via malware; printers advertise themselves well," says McLane. "If a laptop or desktop gets compromised, a printer is a great spot to put malicious code that everyone talks to … it's a built-in platform to launch attacks."

Common printer slip-ups

Most frequent mistakes include employing weak or default passwords, and neglecting to update firmware. "Printers are not always updated with the latest firmware," HP's Wingate adds. "In fact, we see heavy use of old firmware with printers, some with known vulnerabilities that are not being patched to the latest version. That represents an opportunity for hackers to come in."

Mismanagement of printer settings and ports leaves the door "wide open" for remote entry onto devices and into corporate infrastructure, he continues. Lack of active monitoring for printers also leaves businesses vulnerable to unauthenticated actors.

When overlooked, these errors can put full organizations at risk. Earlier this month, security researcher Ankit Anubhav found nearly 700 Brother printers exposed online, granting full access to their administration panels over the Internet. Devices on university, corporate, and government networks could be found via IoT search engines like Shodan and Censys.

One of the factors behind this exposure was the decision to ship printers with no administrative password. Researchers believe most businesses likely connected vulnerable machines to their networks without recognizing their administrative panel was exposed.

Vendor responsibility

As Wingate points out, it's not enough to simply protect a network from initial penetration. Firewalls are helpful "but not sufficient," he explains. CISOs must assume their network has already been breached and ensure there is no lateral attack on the network.

"What we've discovered in our research is that certain malware packets are able to enter the network by being sufficiently small and low profile - effectively entering under the radar," he explains. Once inside, it needs to contact the master command-and-control server to know what to do next. The way it does this is characteristic of that type of malware attack.

HP is addressing modern printer risks like this with a tool called Connection Inspector, which analyzes outbound network connections typically targeted by malware. It detects anomalous behavior and, if necessary, triggers a reboot to go back to a known version of the BIOs. This accelerates response speed, Wingate says, which is important given the security skills gap.

"If you have a human in the loop, who needs to be notified that there's a malware penetration, and he or she delays the response on solving the issue that undermines the security of the entire network," he explains.

Other new tools aim to improve security amid cloud growth and the rise of remote work. HP Roam, a Pull Print solution built in the cloud, lets mobile workers hand off documents and print them, then erases the job off the printer once the job is complete.

"Whether it's a sales rep in the field, an insurance agent, or any other 'road warrior' in the field, they sometimes must print," says Wingate. "And if they're not at home, and they're rarely at the office, where do they securely print? They don't securely print."

[Hear Arctic Wolf's Sam McLane discuss "Targeted Attacks: How to Recognize Them From the Defender's Point of View" at the INSecurity conference at National Harbor, Md., on Wed., Nov. 29. Register here.]

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Olaf Barheine
Olaf Barheine,
User Rank: Apprentice
10/23/2017 | 4:32:10 AM
I think I should switch my old printer from RJ45 to USB. A security test with NMAP showed that it's open like a barn door. And new firmware is not more available.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/22/2017 | 10:53:24 AM
Re: A simple google search
Even beyond Google, there's Shodan for finding exposed embedded devices -- printers and otherwise. Security researchers have relied on Shodan quite a bit to pull off some interesting research/exposes.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/21/2017 | 3:35:53 PM
For years
This has been an issue for quite a number of years, unfortunately. Printer vulnerabilities -- either because of poor enterprise practices or because of manufacturers not paying enough attention to their products -- really brought some attention the security weaknesses of embedded devices before the proliferation of IoT. Too bad manufacturers and enterprises didn't listen.
User Rank: Apprentice
10/20/2017 | 7:34:49 AM
User Rank: Ninja
10/17/2017 | 7:43:51 AM
A simple google search
Years ago there was published a simple, extended search string for Google that browsed the internal web page of millions of Officejet printers.  Fantastic.  Tried it and the pages were displayed along with internal IP settings which, for a hacker, is an open door.  I did not purposefully remember it but I am not surprised that printers are a wide open door.  
User Rank: Apprentice
10/16/2017 | 11:49:53 AM
Ohhh that is pretty interesting 
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.