They sit off in the corner, some of them collecting dust. Yet, a printer is a legitimate attack surface. Many companies don’t bother to update the firmware on older models, or don’t include every model in a security audit (such as the one in the CEO’s office everyone forgot about), or the organization assumes a hacker won’t bother with an Epson or HP that is barely even connected to Wi-Fi.
Interestingly enough, because a printer is so innocuous and seemingly harmless, that’s the exact reason it poses a threat, according to the security analysts who talked to CSO about this issue. Sometimes, the best attack vector for an attacker is the one no one bothers to think about. However, a recent IDC survey found that 35 percent of all security breaches in offices were traced back to an unsecured printer or multi-function device, costing companies $133,800 each year.
Why the threat is serious
As with any vulnerability, a printer fits into that category of “fringe” devices you might not consider. Enterprise security tools protect networks and laptops; they often do not block access from a printer that is outdated and runs the original firmware that shipped with the product.
“Printers at first may seem like a benign issue, however you have to remember that they are mini-computers,” says Chris Vickery, a white hat hacker and Security Researcher at MacKeeper. “Getting control of a printer within an organization can provide a foothold for further attacks and a position to ‘pivot’ out of into networks.”
The most serious threat has to do with an attacker gaining access to the network through the printer. Other issues include capturing every document sent to the printer, which could be a serious business intelligence compromise. Vickery said another recent incident involved sending a white supremacist document to thousands printers that did not block a specific port.
Arianna Valentini, a security researcher with IDC, said that apart from the actual hacks into the printer itself, another security concern has to do with documents left unattended. Many older models do not use any security related to only printing when someone enters a password at the device itself. Corporate users tend to print and forget the documents. This makes it all too easy for a thief to steal the documents, digitize them, and sell company secrets.
Vickery says this problem arose partly due to neglect (printers sitting idle in a corner) and partly due to how the printer companies failed to protect the devices. He says one of the biggest innovations in printer security was in using password protections on printers by default (that is, the devices are shipped with passwords enabled). That doesn’t help with the millions of older models that still rely on the default firmware that do not use passwords, however.
Sign up for Computerworld eNewsletters.