Insider threats can come from the most unexpected places. Earlier this year, the hacker Andrew Auernheimer created a script that would scan the Internet to find printers that had port 9100 open. The script then printed out racist documents across the globe. Wait a minute: network printers? Granted this was more annoying than an attack of malware that could destroy data, the point should be obvious. Anything that has an IP address is fair game for hackers. And while stories about Internet-connected thermostats and webcams are sexier and more newsworthy, the lowly network-connected printer has its problems as a potential threat too.
Printers are an easy mark because we don’t usually think about them as malware repositories. But they usually are great hacking portals because they “are often configured with access to the organization’s file server, email server, and active directory, [so] the potential risk is enormous.” That was written several years ago by the security research consortium OPSWAT, who mentioned this in a blog post about the threat.
Sadly, using printers as an attack vector is not new. Back in 2005, this guide was posted about getting access to printers’ attached to HP’s network connector JetDirect cards. Many IT administrators are just finding similar pages and reading them for the first time today.
Several years ago, one security consultant had a 15% success rate at finding compromised network printers. According to this article in the Register, that rate has climbed to 50% more recently. He was quoted in the article saying, "A lot of people don't realize these high end printers can store passwords in the address books." Gulp.
One reason for the ready access is that the firmware for many printers is rarely, if ever, updated, so security flaws remain unfixed for years. Many printers still have their pre-set default passwords or no passwords. And almost all printers have web-based interfaces, making them tasty targets for the least unsophisticated hackers. Many printers now contain Linux or embedded Windows operating systems, making them easier to manipulate. Finally, many printers that aren’t directly Internet-accessible may still be subject to cross-site scripting attacks due to weak or non-existing authentication policies.
Some of the attacks are comical, such as running the game Doom on one Canon’s control panel. But others are more serious, such as installing denial of service tools, rerouting jobs (and the confidential documents that they contain) to external locations, and having the printer join a botnet army for further mischief. This last situation was discovered on a large hospital network last year.
So what should you do? Ed Skoudis at SearchSecurity has several suggestions here:
- Change default passwords and account names immediately for printer logins
- Put printers on their own protected VLAN and monitor it carefully for non-printing traffic
- Eliminate any unneeded services (such as FTP) and make sure the ones that are left are password-protected
- Use SSL or HTTPS to manage the printer if these protocols are available, and make sure they have strong passwords for logins
- Make sure your intrusion products know about your entire network printer collection and routinely scan to see if odd traffic is coming from any of them.
Read more about evasive protocols and their role in circumventing your security