Mind the printers: How to close the security gap
14 July 2016
5 min read
The lowly printer, oft maligned by operators and users alike, is the target of a wide array of attacks from hackers. The principle objective of a printer attack is, ostensibly, the information flowing through the device, but multi-function printers and larger network printers offer a variety of other tantalising morsels for the creative hacker.
First, it’s essential to understand the types of attack levelled at printers.
What makes a printer vulnerable
There are three components of these systems that can be attacked: the operating system driver, the management tools and the printer’s software.
The operating system driver is a bit of code that users are typically unaware of because it exists to provide an interface between the computer’s print spooler (the bits that handle print jobs) and the physical printer.
This driver is loaded when the computer boots and, as with any other software, may contain exploits (particularly in older models). The result of such an attack is most likely the escalation of local user privileges or the execution of arbitrary code on the PC itself, as opposed to on the printer.
Anyone who has added a printer to their PC has no doubt installed a wide variety of third party or vendor-provided applications with which to manage it. This software is typically installed as part of the printer setup, configured to run at system boot time, and seldom updated.
Like their more complex cousin, the print driver, an attack against these tools would most likely result in either a local privilege escalation or an execution of arbitrary code on the local machine, as opposed to any control of the printer itself.
How hackers will attack your printer
There are four primary ways to attack the printer: the web-based administrative interface (WebUI), SMTP, FTP and SNMP. Note that none of these routes of attack need the hacker to be physically present.
The WebUI of many printers is often a first stop for anyone attacking a printer. Any compromise of the WebUI, whether through brute-forcing credentials, or via some exploit, gives an attacker the ability to control any configurable feature of the printer.
Often, an attacker will use this access to enable features -- such as queue retention policies and FTP access -- so they can return later, recover sensitive print jobs and parse them for sensitive information. Attacking the WebUI is akin to kicking in the front door of a house you intend to burglarise: effective, but not so subtle.
Sending spam through a printer may not sound like a plausible scenario, but thanks to the ability of many network printers to send and receive emails, this is very much a possibility. This stems from the fact that the printer itself can’t send email, but rather requires access to the company mail server.
Unfortunately, a great many administrators will simply allow printers to send emails through the corporate mail server without authentication, making the printer an excellent source for emails. Worse, emails originating from these hosts are great for internal phishing attacks because they may genuinely appear to be a scan.
SMTP, FTP and SNMP
Print jobs can be submitted to the queue via many different ways, including SMTP and FTP. The upshot of this, for attackers, is that often the devices that support FTP don’t remove jobs from memory immediately upon printing, but rather they delete the job on a schedule. The result is that a digital miscreant can retrieve those print jobs prior to their removal.
Many enterprise-class printers also support management and monitoring via the Simple Network Management Protocol (SNMP). While SNMP is most commonly used to track ink or toner levels and the number of pages printed, it can also be used to alter the configuration of printers -- provided an attacker can gain access to the printer’s read-write community string and/or authentication credentials. There are three different versions of SNMP, each of which has its own method for authentication: SNMPv1, SNMPv2c and SNMPv3. SNMPv1 and v2c require a simple “community” string, such as a pre-shared passphrase used to identify authenticated devices.
SNMPv3, on the other hand, requires a community string as well as an encrypted username and password pair for authentication. Unfortunately for enterprises, the overwhelming majority of devices are configured to use SNMPv2c, which excludes the proposed security enhancements of the base SNMPv2.
The end result is that once an attacker is on the network, it’s a trivial matter to sniff out the SNMP community string and to then use that string to perform configuration modifications to enterprise-ready network printers or multi-function devices.
Protect against attack
In the end, the attack surface of a network printer is quite a bit larger than you might have previously understood. So how do you secure these fixtures of the modern office?
The most effective strategy begins with understanding the workflows that use the printers. This allows you to isolate the devices on the network to a separate VLAN while restricting what traffic is allowed to traverse it. Finally, keep print drivers and management software up to date.
Understanding the workflows around any given printer insures that the measures you take to secure it don’t negatively impact the business. Isolating printers on their own VLAN ensures that you’re able to control the flow of network traffic to and from that segment of the network easily.
Keeping print drivers and management software up to date ensures that local machines aren’t victims to malicious code that targets the software supporting our printers.
The HP factor
It’s also worth noting that HP’s latest round of laser printers, the M500 series, introduced three key hardware and software features to protect against attack. Indeed, two of the three features can be incorporated into older HP printers through firmware updates. See the link for a full list of printers covered. The one security feature that won't be available to older machines is HP Sure Start, which depends on a "golden" BIOS that's separate to the printer's active BIOS. If, at the time of booting, the printer detects its BIOS has been compromised it will roll back automatically to the original.
The second new line of defence is whitelisting, which should ensure that only "good" firmware can be loaded and executed on the printer. If it detects non-HP firmware it shuts down and notifies the network manager.
Run-time intrusion detection rounds off the features, with constant monitoring of in-device memory that checks for attacks. Crucially for IT managers in charge of dozens of printers in different places, the printer reboots automatically. So the lesson is to be aware of the security holes offered by the printer on your network and take whatever action is required, whether that’s upgrading to a new machine, isolating printers onto their own VLAN, making sure your firmware and software is up to date, or a combination of all three.
Unless you want your next client correspondence, contract or sales report to be nicked by an attacker, you’d be well served to mind the printers.