Old Printer Vulnerabilities Die Hard
New research on an old problem reveals despite efforts, the InfoSec professionals still have a way to go when it comes to securing printers.
Despite copious warnings and efforts by the security community to harden the defenses of printers, they continue to represent a ripe target for attackers.
Just this past summer researchers at Check Point found a vulnerability that allowed an attacker to compromise a multi-function printer with fax capabilities simply by sending a fax. In July, Positive Technology shared a proof-of-concept attack that shows how attackers can compromise a corporate network via installing a customized Xerox printer firmware on a targeted printer. In August, HP Inc. patched hundreds of inkjet models vulnerable to two vulnerable remote code execution flaws (CVE-2018-5924, CVE-2018-5925).
Printers, security researchers say, are the Achilles Heel for network management. They sit on the network like a PC and need regular updating like any other network endpoint – but often don’t.
In an HP-sponsored study by the Ponemon Institute (PDF), of 2,000 IT security practitioners surveyed, it found 56 percent of respondents believe employees in their organizations do not see printers as an area of high security risk. Worse, only 44 percent of respondents say their organizations’ security policy includes the security of network-connected printers.
“Too often nobody cares enough about printers. They are considered a trusted and reliable piece of equipment that print out documents. But at the end of the day, it’s an endpoint – just like a PC. They are Wi-Fi enabled with an IP address and a network interface card,” said Paolo Emiliani, industry and SCADA research analyst at Positive Technologies.
In many ways, he said, the printer is the original IoT device; and with it have come similar security issues.
The challenge is two-fold, he explained. Too often aging corporate printers aren’t receiving security patches needed. In addition newer cloud-friendly printers, such as those with remote management functions, are growing the attack surface of the latest generation of printers.
“In 2005 we began seeing printers becoming truly network attached devices and not just direct attached or USB attached device connected to a PC or server,” said Eric McCann, software product marketing manager at Lexmark International. “Almost overnight, printers became multifunction and had access to everything on the network.”
Matt Field, software development manager at Lexmark, said the introduction of a multifunction printer opened the door and grew demand for things such as document digitization. That prompted workers to send jobs to a shared server or to email digital copies.
Today, that network-aware printer is now internet-aware and creating new opportunities for cloud services and for advanced features such as remote management by third-party service providers.
“This has brought an entirely new set of security risks to the equation,” said Field. “Printers went from direct attached, network attached and now entire fleets of printers can be managed via the cloud through a single portal.”
Lexmark, like other printer manufacturers, said it has used devices encrypted communications and firmware for over a decade. Each of the big printer makers – HP Inc, Epson and Canon – market a security stance enforcing that printers need to adhere to strict business’ IT policies.
“If you require your PC’s to authenticate into Active Directory, then you need to do the same thing for your printer. Companies need to extend those policies down, up or sideways within a company,” Field said.
Printer security risks range from device misconfiguration, print job manipulation, unauthorized access to print data and man-in-the-middle attacks in the cloud. Then there are a myriad of vulnerabilities that crop up, where a hacker could compromise a printer and use it as a beachhead into an otherwise secure network environment. Mitigation against risks falls on the backs of IT administrators, but also vendors who identify bugs and patch them.
Leading printer firms such as Epson and Canon both hammer the security message to customers emphasizing proper configuration and management of equipment. Lexmark says it has adopted a responsible disclosure policy for each bug customers find and bring to its attention. HP Inc. partnered with Bugcrowd to create a bug bounty program. In July, it launched the first ever printer-dedicated bug bounty program with awards up to $10,000.
But, despite best efforts, finding bugs and patching them remains a challenge – despite a decade of trying to perfect the practice. “Patching continues to be a problem. Firmware updates aren’t easy. That’s something we are looking to improve upon in the future with,” Field said. He said the company was exploring ways to make the process more automated.
Preventing insecure printers comes down to the “obvious” solution that has proven elusive to so many, say experts. They suggest enforcing data encryption rules and replacing outdated printers with newer more secure models. IT administrators need to implement a regular patch enforcement with printers as they would any user server or PC. Lastly, take advantage of any built-in management to properly secure it for remote access.