Historically, printers have not been much of a consideration in most organizations’ cyber security strategies. However, that is exactly what has made them an attractive attack method for hackers. In the past, the basic assumption was that a secure firewall was the extent of what is necessary for printer security, but that is no longer sufficient. This is because “the bad guys” know these are soft targets on corporate networks.
In fact, in 2019, Microsoft issued a warning that a “known adversary” was engaged in a widespread campaign targeting printers and other IoT devices. This announcement came just as researchers from the NCC Group shared findings at the DEF CON 2019 convention that demonstrated how printers could be exploited remotely despite being “safely” behind a corporate firewall.
The motivation isn’t necessarily to hack the printer itself; instead, the printer serves as a point of ingress to gain a foothold on the network. From there, a hacker can move laterally within the network, connect to other devices, execute malware, and/or steal valuable information such as login credentials without being detected. Legitimate stolen login credentials were cited in a joint statement by US & UK intelligence services as a key tool in the execution of a widespread ransomware attack this summer. They attributed the campaign to the same group that Microsoft had previously warned was targeting printers. The intelligence-gathering activities were described as still active and ongoing since at least 2019, making the timeline consistent with their printer hacking campaign.
Every manufacturer is at least giving lip service to security on their marketing collaterals today, but there are vast differences in actual features. These differences are not just from one manufacturer to the next, but they can also vary from one product family to the next. An example of this is HP’s “Pro” and “Enterprise” series.
While the Pro series has a solid set of security features, including whitelisting, the Enterprise series provides enhanced protections with anti-virus-style tools that actively monitor for anomalous activities in the device’s memory and network connection. They can even “self-heal” when an issue is detected.
To illustrate this concept, we can compare printer security to home security. One security system may allow you to lock all the doors to the house and maybe even check the locks when you get home (or reboot your printer and validate firmware via whitelisting). However, another model does all that and acts as an active alarm system, alerting the authorities of an intrusion while simultaneously removing the intruder and repairing any damage.
The interesting piece to note here is that these high-end security features that would make life tough on Tom Cruise and the Mission Impossible team are no longer exclusive to pricey models. Higher-priced printers are typically less costly to operate, so the models that offer the most protection will often be more cost-effective over their lifetime as well.
Implementing printer security, best practices starts with taking stock of the technology that makes up your current printer fleet. What type of built-in security features do these network endpoints have?
First, understand that older technology is problematic on two fronts. For one, whatever security features an old device was designed with are outdated simply by the nature of being older technology. Two, manufacturers do not support models forever which means patches cease to be published. In the same way that Windows 7 users had to upgrade last year when Microsoft stopped supporting it, printers should be retired once the manufacturer stops supporting it.
Are your printers up to date with firmware patches? Manufacturers issue firmware updates to patch vulnerabilities after identification, but unpatched devices represent ripe targets for attackers.
Criminals have been increasingly leveraging supply chain vulnerabilities to get inside networks, and printers are not immune to these threats. For example, last year, researchers found a component in a common TCP/IP connector with serious vulnerabilities (dubbed “RIPPLE20”). This component is believed to be in millions of IoT devices, including printers. It is so widespread that one manufacturer issued patches for 100 different models.
With that in mind, it is important to understand printers' unique challenge in this regard. Every ink or toner cartridge has a chip in it that allows it to communicate with the printer. So, every time you put a new cartridge into a printer, you are introducing an outside chip into a network endpoint. For those who scour the internet looking for the cheapest compatible cartridge, it may be worth pausing to consider where that cartridge is coming from as well as whether your printer’s security features would protect you if a chip has been compromised.
To read more about ink cartridge security, read our blog “Can My Toner Cartridges Get Hacked?”.
Incorporate printers into your cybersecurity strategy. That could mean developing a patching process, replacing printers with new technology, or simply retiring some devices without replacing them. Having vulnerable printers does not necessarily mean the house is on fire, but if you choose to ignore it, you must be honest with yourself about that choice. As the old song lyric states, “If you choose not to decide, you still have made a choice.”
If you want to learn how to protect your printers from cyber attacks, check out our blog Can My Printer Get Hacked?