Source: British Assessment Bureau
In one of the more bizarre cyberattacks of recent times, in November 2018 an estimated 50,000 printers around the world started printing flyers asking readers to visit the YouTube channel of Internet star, PewDiePie.
Annoyed but helpless owners quickly took to Twitter to complain about the intrusion.
It didn’t matter whether the printer was a sophisticated multi-function laser printer used by large companies or a modest receipt printer of the sort used by millions of small businesses – if it was connected to the Internet, the PewDiePie hackers seemed able to reach and print from it.
A few days later, the same hackers struck again, this time printing instructions telling victims how to fix the firmware vulnerabilities that had made the campaign possible. And there was more; the hackers believed it was not only possible to print from exposed machines but physically damage their electronics or interfere with data passing through them.
“The fallout goes beyond print-outs, we could also be capturing sensitive documents as they get printed or even modify documents as they get printed,” they told the BBC.
This is far from the only incident affecting printers in recent years. In 2020, a hacking collective successfully printed a PDF of security instructions to 27,944 unprotected printers from a total of 800,000 insecure devices discovered using the Shodan and Censys IoT search engines.
Printers aren’t necessarily more vulnerable to attack than other devices, but they are almost always ignored. The thing about printers is they print. Beyond that narrow function, few give them a second thought. It’s been this way ever since HP released the first deskside personal laser printer, the LaserJet, in 1984.
Printers have always been fully-fledged computers, complete with their own main memory, microprocessors, data storage, network connectivity, and simple operating systems. Finally, around 20 years ago, they acquired built-in web and remote configuration, which meant people could connect and print documents or configure settings from anywhere in the world.
Looking back, Internet-connected printers marked the beginning of the Internet of Things (IoT), years before that term existed. And as with most of today’s IoT devices, nobody paid a blind bit of attention to the risks of populating networks with unmanaged, Internet-connected devices that rarely or never received software updates.
Although examples of major cyberattacks exploiting printers are still collectors’ items, the proof-of-concept incidents mentioned above show that compromise is not a theoretical worry. If an attacker can see a printer from inside or outside a network, this is a vulnerability that needs to be addressed.
How might an attacker exploit a printer?
Denial of service: sending a stream of print jobs to a printer to stop it receiving legitimate traffic. Anecdotes suggest that this type of attack is not uncommon, which shouldn’t be a surprise. In the 1980s and 1990s attacks were launched on company fax machines and phone switchboards using the same MO.
Data theft: printers receive and print data. But what happens while the data are sitting in the print queue? If not encrypted, in principle it is vulnerable to theft by anyone able to access its management interface, including via Wi-Fi as well as across the network itself.
Network compromise: hacking a printer to use as a staging post for a lateral movement inside a network is supposed to be rare. This could be because it really is rare, or it might simply be because nobody monitors printers so would have no way of knowing if it had happened. As with most IoT, printers don’t run security clients which means that compromises are not easy to see. If the printer has a serious unpatched vulnerability, a remote code exploit (RCE) could allow hackers to install malware.
Email compromise: an additional trick used by hackers is to hijack a printer as a proxy to send a malicious document to someone’s email address posing as a notification. Because the printer is legitimate, this is more likely to pass checks.
Document modification: intercepting printed material to change some of the data, for example a mailing address for goods.
Printer security checklist
The good news is that fixing printer security isn’t hard. The first task is to stop ignoring them as if they are trusty printing presses and address the glaring weaknesses.
Secure access: after carrying out an audit to establish the state of the printer population, turn off remote Internet printing access. This stops the printer from being visible to specialised search engines. Then turn off unused software ports and unneeded protocols that might further expose it inside or outside the network.
Authentication: default login credentials are a big weakness. Obviously, these should be changed, and any additional authentication turned on if supported. Authentication can also be turned on to receive a print job. The printer admin interface itself should be protected by changing any credentials.
Regular patching: patching vulnerabilities is obvious but not all vendors do this quickly enough or make it easy to do. The patching schedule for drivers and firmware should be assessed as carefully as printer features and price before buying a printer. Sometimes, updating can be done automatically by the printer vendor, which might be the safest option.
Data encryption: encrypting print jobs adds a useful layer of security along with some complexity (receiving the decrypted document requires authenticating first).
Independent testing: Buyers Lab has developed a testing process that examines the security of printer vendors. Not every name is on the approved list (yet).
The problem with printers is that their security state is often invisible and almost always treated as an afterthought. As the probing of researchers mentioned at the beginning of this article demonstrated, that creates risks. Printers are the back door into the network nobody knows is there. To date, it’s an issue that’s been publicised by Internet pranksters. Next time, it might be people with more malevolent intent.