Enterprise endpoints have posed significant security risks for organizations for quite some time. With more and more connected devices and products finding themselves in the workplace and imbedded into corporate networks, security teams have been forced to move from a traditional perimeter-focused approach to one which ensures individual devices are updated, secured and maintained to a definite level of compliance. However, whilst both organizations and manufacturers have slowly but steadily developed greater focus on securing devices such as laptops, tablets, smartphones and servers, there has been one commonly found and much-used corporate endpoint device that has tended to slip under the security radar – the office printer. Security issues surrounding printers are nothing new, with incidents of printed document loss dating as far back as the 1950s and 60s and continuing to cause issues ever since. The big difference in today’s digital world is that modern printers are sophisticated devices, and a lot are now being produced with numerous in-built functionalities that are putting them at far greater risk than ever before, without the same sophistication of security to go with it. This was showcased at DEF CON in Las Vegas this year, when researchers from Check Point released details on two critical vulnerabilities in a popular HP OfficeJet Pro 6830 printer which they were able to exploit by targeting its fax capabilities. With just one simple fax message, they not only quickly gained access to the printer, but also leveraged it for further penetration. “One discovery led to another,” Yaniv Balmas, group manager, security research at Check Point and one of the vulnerability discoverers, tells Infosecurity. “By exploiting the fax protocols, we were able to create a malicious file (which appeared to be a color JPEG image file) and send it over the phone line to the target fax-printer machine. The fax-printer then uploaded the ‘image’ file and stored it in its memory without any file checks being applied.” Hewlett Packard was quick to release a patch for each exploit and, in September, announced the launch of the very first bug bounty program specifically for office printers, offering rewards of up to $10,000 (based on the severity of the flaws discovered) for researchers who correctly identify vulnerabilities in its printing products and software. “As the first service of its kind in the market, we anticipate our bug bounty program will help many businesses stay ahead in the cybersecurity battle,” says George Brasher, managing director – UK and Ireland, vice-president and general manager, HP. What these two things show is that, not only has an enterprise the size and scale of HP recognized the need to offer potentially hefty sums of cash for disclosures of vulnerabilities solely in its printing products, but that office printers still have easily exploitable but potentially damaging flaws. When you put that together, the obvious question to ask is: how big is the printer security problem in 2018?

“Printers don’t run security technologies such as anti-virus or host-based intrusion detection services, which makes them easier targets for attackers and more difficult to secure”

Slipping Under the Radar According to Sebastien Jeanquier, principal security consultant at Context Information Security, the world of printer security in the enterprise is largely an anachronistic oxymoron. “The state of the role of printers in enterprise security hasn’t changed very much over the past decade, with printers continuing to pose a threat to enterprise networks due to their status as largely unmaintained systems with numerous security flaws,” he explains. “Printers don’t run security technologies such as anti-virus or host-based intrusion detection services, which makes them easier targets for attackers and more difficult to secure.” Conversely, Quentyn Taylor, director of information security at Canon for EMEA, argues that corporate printer security is better than it was in the past, with both physical and software feature sets evolving to meet an increasing threat landscape and making printers more secure out of the box. What both experts do agree on though, is that significant printer security problems continue to occur in the enterprise as a result of gaps in security awareness compared to other endpoints and failures to keep them actively administered, with vital updates often neglected. “Once printers are installed in an environment, often directly onto the local internal LAN, they are seldom updated, meaning that any vulnerabilities identified and fixed by the manufacturer may not be patched on end devices in the field,” Jeanquier says. “Multi-functional devices are, in most cases, the last servers that have been left on the shop floor in most enterprises,” Taylor concurs. “In some companies they are the biggest part of IT spend that sits outside of the IT budget and are too easily viewed as being an everyday part of the office landscape, despite the massive amounts of sensitive data that they both hold and process. There is a tendency to underestimate the risks of printers because they are a familiar part of the office.”