On March 24th of this year, 59 printers at Northeastern University in Boston suddenly output white supremacist hate literature, part of a wave of spammed printer incidents reported at Northeastern and on at least a half dozen other campuses.
This should be no surprise to anyone who understands today's printer technology. Enterprise-class printers have evolved into powerful, networked devices with the same vulnerabilities as anything else on the network. But since, unlike with personal computers, no one sits in front of them all day, the risks they introduce are too often overlooked.
"Many printers still have default passwords, or no passwords at all, or ten are using the same password," says Michael Howard, HP's chief security advisor, speaking of what he's seen in the field. "A printer without password protection is a goldmine for a hacker. One of the breaches we often see is a man-in-the-middle attack, where they take over a printer and divert [incoming documents] to a laptop before they are printed. They can see everything the CEO is printing. So you must encrypt."
As for the Northeastern incident, "They were all printers outside central IT control, purchased with departmental funds," notes Mark Nardone, the university's chief information security officer. "We expect the departments to comply with security recommendations but do not have the resources to verify." Using one or more search engines, the attacker located unsecured printer ports and then sent each a PDF file and a print command, he says. The attacker printed one copy on each machine but could just as easily have printed thousands, Nardone adds.
He goes on to explain that the campus' managed printers are on a private VLAN and were not visible to the attacker, identified in the press as an American ex-con operating out of Eastern Europe. The university responded with a perimeter firewall that blocked all print commands from outside the university, while the IT department worked to move the unsecured machines into the VLAN.
The attacker did not have to exert himself. Howard says that he himself has been able to discover about 29,000 unsecured printers of all makes on the Internet using various search engine queries similar to those the attacker used. But such lackadaisical, self-defeating security postures for printers is nothing new -- a 2015 HP-sponsored survey by the Ponemon Institute found that 62% of responding IT security practitioners said they did not feel confident they could protect their printer-related data. That pessimism might result from the fact that 64% said their organizations assigned a higher priority to PC and laptop security than printer security.
But sources agree that attackers have been in a position to see what was printed by a particular machine since the day vendors started building hard drives into them. Basically, the machine composes a scratch image of the document and then erases it when the job is done. But as with a computer, erasing a disk file simply cuts the link between it and the machine's file catalog. The file itself remains on the disk until it's overwritten when its space is needed -- which may never happen. If it is not overwritten, it can be retrieved with special software.
In 2010, CBS News ran a dramatic report in which a correspondent bought four random enterprise-class photocopiers that had been leased and returned. His crew removed the hard drives and were able to access thousands of documents, many containing sensitive information, such as personnel, medical and even police records.
Today, encrypted hard drives and automatic file scrubbing are standard features. "I don't know of any business class machines without that capability anymore," says Andy Slawetsky, printer industry consultant at Industry Analysts Inc. "They became standard features three to five years ago, after that TV show. Each generation is more secure than the last, and if the IT department is doing its job, it should never be an issue."
Perhaps -- but the 2015 Ponemon survey showed that only 38% of the respondents were confident that the data on their printers was wiped before disposal or refurbishment.
"There are still machines out there without the latest technology, without hard drives that are encrypted or that erase themselves," says John Juntunen, founder and CEO of Digital Copier Security, a printer security service provider. And because these features can slow down the machine, some users disable them -- assuming they understand the features and use them to begin with, he adds. In addition, some machines only save to disk when doing sorting or two-sided printing, and some rely on RAM, further confusing users, Juntunen notes.
"In the old days they took the hard drive out and gave it to the customer" at the end of a lease, recalls Slawetsky. But as for a data breach resulting from someone actually going through the tens of thousands of images that theoretically could be found on the hard drive of a used machine, "I have not heard of it happening and I think there are easier ways to make a living," Slawetsky says.
Meanwhile, the remote retrieval of erased files is not a practical proposition for a hacker, Juntunen indicated. "You need direct access to the hard drive," he said.
Printer as invasion portal
An attacker may not be interested in what the printer is printing -- but in the basic fact that it resides on a corporate LAN and has an intelligent control system that can be infected.
"Increasingly, printers themselves have credentials and can be infected with malware," notes Kurt Stammberger, CMO at security firm Fortscale. "They may become a spambot, or be recruited to become part of a DDOS network and send out pings to overload a targeted machine. Such infections are quite common, and printers are one of the most common avenues of attack and infection in commercial networks, as they are particularly poorly protected," he says.
"Infected printers are normally used as jumping-off points for the invasion of a network, rather than to steal what's being printed," agrees Greg Young, an analyst at Gartner. "Printers are one-to-many devices and are promiscuous on a network. And quite often they aren't patched like PCs."
"If the hacker is skilled the printer can keep functioning, while in the background providing a platform for an invasion," Stammberger adds. "If the hacker is less skilled you might see it slow down or act oddly. Printer logs are a primary data source (for security investigators) and often turn up flags that can signal much more serious penetration."
Sources agree that the industry has generally responded to the threat with digital signatures (i.e., cryptographic authentication) for its software, making infections easier to defeat.
"It used to be that a lot of printer software was not digitally signed," notes Stammberger. "If it is signed it is not forgeable, so you know the software is authentic and from the vendor. It is now more common that software is signed, and tends to be more secure."
At Ricoh, for instance, "We have a stringent policy going back two decades, that anything put on our devices has to be tested and digitally signed by us," says product manager John Thiessen.
Likewise, HP has adopted a technology called Symbiote from Red Balloon Security. Co-founder Salvatore Stolfo, a security researcher at Columbia University, explains that the Symbiote software is injected into the firmware as an update, and monitors the rest of the firmware -- and itself -- for changes, triggering an alert or shutdown if any is detected. Symbiote has also been adopted by the U.S. government, he says.
What can you do?
In order to prevent printer-related security problems, "Basic hygiene is a good start," Stammberger says. "The printer itself has security measures that should be used. Wireless ports need passwords. If you can encrypt traffic, that is great. If you can authenticate traffic, that is great. But generally printers are a very common mode of network invasion -- we see it a lot."
"Containment is the number-one thing," adds Young. "Put like devices in a like part of the network, meaning put printers and other semi-vulnerable devices in a zone that can be monitored. Even if you can't patch them you can shield them and watch them. It's the same strategy that power plants use for any devices that can't be patched."
"You should read the information the manufacturer provides, and take the steps they recommend to make sure the device is not open and accessible to anyone sniffing around on the Internet," agrees Thiessen at Ricoh.
"More important is security against internal misuse, as a user might not be entitled to work with it or might unintentionally allow access to a third party," says Jiri Tuma, product manager at Czech print management software vendor Y Soft. "Print management solutions can restrict people from certain functions, such as scanning or faxing, to guard against data leaks and log who is doing what."
Indeed, most security tips provided by major printer vendors emphasize the need for internal restrictions to prevent misuse and abuse, saying that printers should have the same physical controls as the rest of the IT infrastructure. Those vendors, of course, also tout their own management software. Howard, for instance, notes that HP Security Manager offers more than 250 security settings, and a network server pushes a security policy onto each printer when it is turned on.
If the worst happens, an infected printer needs to be taken off the network, reset, and its firmware reloaded from a trusted source, Stammberger says.