Network-enabled printers may contain very sensitive information about your internal network.
Virtually all printers and fax machines manufactured within the last 5 years are network-connected, which means they have many avenues for receiving and sending communication. Unfortunately it also means they may inadvertently store sensitive information about your network.
SEE ALSO: Top 5 Security Vulnerabilities Every Business Should Know
Wait . . . I need to secure my printer?!Most businesses have the same reaction when I tell them that their multi-function printer or fax machine could be a potential doorway into their secure network.
“Why would I need to secure it? Doesn’t this device just print jobs from inside the network and create hard copies? It’s just a printer.”
Wrong. It’s been more than a printer for quite a while now.
Printers are plugged into corporate networks, integrated with business systems, unified with email systems, and given Local Area Network (LAN) authentication.
With all these important connections throughout the network, hopefully you can see how an unsecure printer setup could lead to serious exposure of sensitive data or password harvesting.
Dangerous printer capabilitiesTo further understand printer security, the following are common printer/fax machine capabilities and settings that could lead to unauthorized access.
- Document scanning to a file: The printer allows access to a scanned file via File Transfer Protocol (FTP), or may copy the file to a network file server. Authentication credentials to that file server are stored by the printer, which means if a hacker gained access, he could have credentials to the network (maybe even administrative credentials).
- Document scanning to email: Credentials are required to access the local mail server, or the printer could store an address book. If a hacker has the ability to enumerate all email addresses or file share credentials, he could make the printer deposit scanned files directly to specific email addresses or file servers.
- Email notification: An address book of internal emails may be stored by the printer to enable various types of notification (fax, print job finished, etc.). If this information can be gleaned from the printer, the attacker now knows more than he should about internal emails.
- Remote admin portal: A remote administration portal, usually an embedded web server, can be reached from the network where the printer resides or even from the Internet. Often system administrators don’t change the default access password to this administration page. If a hacker does a simple Google search to find the default settings of the portal, he could access the network.
How are printers attacked?The following are common methods attackers could use to gain access to printers/fax machines.
Using vendor/factory defaults
One of the most common and simple attacks hackers use to attack a printer or fax machine is leveraging the default password set by the manufacturer to gain access to the administrative portal on the printer. Even if defaults have been changed, a simple attack against this administrative portal may allow someone to bypass the authentication layer of the device. With access to the portal, it can be very easy to glean network access information.
Using administrative passwords/usernames
IT personnel often use directory service administrator level username/passwords when setting up the printer to access shared resources. This login information might be visible from the printer’s administrative interface or accessible directly from the printer’s password settings page by viewing hidden HTML variables kept right in the page HTML source. Not securely protecting password information allows the hacker to collect this information from the printer and then “become” an administrator of the network or other sensitive systems.
Using unaddressed vulnerabilities
Since they are considered hardware, printers and fax machines are typically bypassed on the regular system update/patch management schedule. Attackers could learn of and utilize old vulnerabilities with success.
Tricking the printer
Other types of attacks trick the printer into communicating with an attacker rather than a standard configured service like Lightweight Directory Access Protocol (LDAP) and Simple Mail Transfer protocol (SMTP). The results of these types of attacks can allow an attacker to gather internal IP addresses, communication port information, and usernames/passwords.
What can I do for printer security?
- Change default passwords on printers
- Develop an update management process to keep printer software and firmware up-to-date
- Avoid using administrator level usernames and passwords when granting the printer access to network resources
- Be very aware of what network segments your printers are attached to. If it's wireless, make sure it is a secured wireless network. If you don’t need a printer in your most secure zones, don’t put it there.
SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches
Multifunction and network enabled printers may contain very sensitive information about your internal network and may be a weak link in your overall security strategy. Do not neglect them.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you read his other blog posts.