A pair of researchers conducting a six-month survey of popular business printers discovered 49 vulnerabilities in the drivers and software running on the devices. Some of the issues could be remotely exploited to run code on the corporate technology, security firm NCC Group said on August 8.
The research, conducted by NCC researchers Mario Rivas and Daniel Romero, uncovered issues as mild as denial-of-service vulnerabilities and as serious as buffer overflows that could lead to remote code execution. The researchers notified the makers of the affected printers — from Brother, HP, Kyocera, Lexmark, Ricoh and Xerox — of the issues in February, and every manufacturer has patched the issues, NCC stated.
The researchers will walk hackers through their research — including threat modeling and how attackers could use printers to maintain persistence in a corporate network — at the DEF CON hacking conference in Las Vegas this weekend.
"Because printers have been around for so long, they're not seen as enterprise IoT devices — but they're embedded in corporate networks and therefore pose a significant risk," Matt Lewis, research director at NCC Group, said in a statement. "Building security into the development life cycle would mitigate most if not all of these vulnerabilities."
Printers have long been a target of vulnerability researchers and hackers. At the Black Hat Security Briefings in 2002, two security researchers demonstrated that HP printers could be remotely exploited using security weaknesses in a variety of access methods. In 2017, a graduate thesis presented a survey of the security flaws in printers and multifunction devices, identifying more than 125 printer vulnerabilities in the National Vulnerability Database dating back nearly 20 years.
Increasingly, printers are grouped into the broader class of Internet of Things (IoT) devices that can expose companies to attack.
"Printers are commonly overlooked as devices that just 'print' and not as the network devices they are, which implement a lot of capabilities and store really sensitive information — not only documents, but also domain credentials and other secrets," Romero and Rivas said in an e-mail interview. "For this reason, we think that they are very interesting targets for attackers using them as the front door to compromise an organization."
Using some custom automated tools, the NCC Group research uncovered 49 vulnerabilities, as identified by their Common Vulnerability Enumeration (CVE) numbers. The researchers made extensive use of protocol fuzzing and plan to discuss one of their fuzzers at their DEF CON talk.
"We focused our research on [certain] attack surfaces, such as specific printer protocols, services, or implementations," the researchers told Dark Reading. "This is the reason why the different types of printer vulnerabilities found were often common across different brands. As far as we were able to identify, there weren't common components between the different brands."
Brother printers had the fewest vulnerabilities, with three issues found, including two overflows and an information disclosure vulnerability. HP printers had five issues, including multiple buffer overflows, cross-site scripting, and a bypass for countermeasures implemented to prevent cross-site request forgery.
Xerox and Lexmark printers had eight and nine vulnerabilities, respectively, including multiple buffer overflows, cross-site scripting, and information disclosure. Both Ricoh and Kyocera printers had a dozen vulnerabilities each. All four of the most vulnerable printer brands lacked countermeasures to prevent cross-site request forgery.
The researchers noted that they only had time to determine the definite exploitability of a few of the issues.
NCC Group criticized the shortfalls in the security measures implemented by printer manufacturers' software development teams.
"It's very important that manufacturers continue to invest in security for all devices, just as corporate IT teams should guard against IoT-related vulnerabilities with even small change: changing default settings, enforcing secure configuration guides, and regularly updating firmware," Lewis said.
Businesses should pay more attention to their printers as potential points of attacks and as devices that could allow an attacker to stay resident inside a network, the NCC Group researchers said.