Looking over the work your security team has accomplished over the last few years, you’re pretty satisfied. Servers and workstations are hardened. Layers of intrusion defense (IDS, IPS, firewalls, VLAN’s, etc.) are in place. Anti-virus and anti-spyware solutions are running and regularly updated. The SOX audits are all passing. Your configuration and patch management program is fully functional. All is well. It’s time to take a break and just manage your solutions. Well, not so fast. There’s possibly one piece of your infrastructure you haven’t included in your security planning—network printers.
Criminals have historically gone after PCs and servers. In the past these were relatively open and waiting for someone to come along and exploit their weaknesses. Over time, however, organizations have taken steps to lock down these devices—increasing the work factor to a level at which criminal hackers are looking for softer targets. This is evident when looking at the increase in PDA and smartphone exploits. Printers, too, fall into the “soft target” category.
In 2003, the Blaster Worm hit McCormick and Co. (Deb Radcliff, “The Surprising Security Threat: Your Printers”, ComputerWorld, January 15, 2007). The interesting thing about this attack was where the worm took up residence. When sanitized network segments were re-infected, further investigation by the recovery team found the worm on their network printers. At the Black Hat Conference last year, security researcher Brendan O’Connor demonstrated that these types of vulnerabilities still exist by exploiting weaknesses in the Xerox WorkCenter and WorkCenter Pro 200 series printers (Robert McMillan, “Black Hat: Serious flaw puts Xerox printers at risk”, IDG News Service, August 4, 2006).
In addition to harboring malicious code, hacked printers can also provide access to sensitive information sent to them for printing.
There haven’t been many reported instances of infected printers compromising a network, but the number of printer exploits is steadily increasing. According to Radcliff, Symantec recorded 12 new security vulnerabilities affecting five network printer brands in 2006: Brother, Canon, Epson, Fujitsu, HP, Lexmark, and Xerox. This was up from 10 in 2005. The vulnerabilities recorded in 2005 and 2006 account for nearly half of the printer vulnerabilities discovered since 1997.
Also vulnerable to attack are print servers like some HP JetDirect devices. Adrian Crenshaw describes in detail the vulnerabilities you might find in JetDirect and Ricoh Savin products in “Hacking Network Printers”. He also provides information and additional links for hardening them.
Vulnerable printers typically run a Linux or Windows operating system. So hardening these potential points of unauthorized entry into your network is very similar to hardening your workstations and servers.
- Disable unneeded services.
- Include printers in your patch and configuration management processes. Most printer vendors have seen the light and are gearing up to implement patch release programs similar to those of Microsoft and other high profile attack targets.
- Change all default passwords.
When purchasing a printer or print server, check out the security features available. If the manufacturer has been negligent in providing the features you need to protect your information assets, look elsewhere for a printing solution.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.