Enterprise endpoints have posed significant security risks for organizations for quite some time. With more and more connected devices and products finding themselves in the workplace and imbedded into corporate networks, security teams have been forced to move from a traditional perimeter-focused approach to one which ensures individual devices are updated, secured and maintained to a definite level of compliance.
However, whilst both organizations and manufacturers have slowly but steadily developed greater focus on securing devices such as laptops, tablets, smartphones and servers, there has been one commonly found and much-used corporate endpoint device that has tended to slip under the security radar – the office printer.
Security issues surrounding printers are nothing new, with incidents of printed document loss dating as far back as the 1950s and 60s and continuing to cause issues ever since. The big difference in today’s digital world is that modern printers are sophisticated devices, and a lot are now being produced with numerous in-built functionalities that are putting them at far greater risk than ever before, without the same sophistication of security to go with it.
This was showcased at DEF CON in Las Vegas this year, when researchers from Check Point released details on two critical vulnerabilities in a popular HP OfficeJet Pro 6830 printer which they were able to exploit by targeting its fax capabilities. With just one simple fax message, they not only quickly gained access to the printer, but also leveraged it for further penetration.
“One discovery led to another,” Yaniv Balmas, group manager, security research at Check Point and one of the vulnerability discoverers, tells Infosecurity.
“By exploiting the fax protocols, we were able to create a malicious file (which appeared to be a color JPEG image file) and send it over the phone line to the target fax-printer machine. The fax-printer then uploaded the ‘image’ file and stored it in its memory without any file checks being applied.”
Hewlett Packard was quick to release a patch for each exploit and, in September, announced the launch of the very first bug bounty program specifically for office printers, offering rewards of up to $10,000 (based on the severity of the flaws discovered) for researchers who correctly identify vulnerabilities in its printing products and software.
“As the first service of its kind in the market, we anticipate our bug bounty program will help many businesses stay ahead in the cybersecurity battle,” says George Brasher, managing director – UK and Ireland, vice-president and general manager, HP.
What these two things show is that, not only has an enterprise the size and scale of HP recognized the need to offer potentially hefty sums of cash for disclosures of vulnerabilities solely in its printing products, but that office printers still have easily exploitable but potentially damaging flaws. When you put that together, the obvious question to ask is: how big is the printer security problem in 2018?
“Printers don’t run security technologies such as anti-virus or host-based intrusion detection services, which makes them easier targets for attackers and more difficult to secure”
Slipping Under the Radar
According to Sebastien Jeanquier, principal security consultant at Context Information Security, the world of printer security in the enterprise is largely an anachronistic oxymoron.
“The state of the role of printers in enterprise security hasn’t changed very much over the past decade, with printers continuing to pose a threat to enterprise networks due to their status as largely unmaintained systems with numerous security flaws,” he explains. “Printers don’t run security technologies such as anti-virus or host-based intrusion detection services, which makes them easier targets for attackers and more difficult to secure.”
Conversely, Quentyn Taylor, director of information security at Canon for EMEA, argues that corporate printer security is better than it was in the past, with both physical and software feature sets evolving to meet an increasing threat landscape and making printers more secure out of the box.
What both experts do agree on though, is that significant printer security problems continue to occur in the enterprise as a result of gaps in security awareness compared to other endpoints and failures to keep them actively administered, with vital updates often neglected.
“Once printers are installed in an environment, often directly onto the local internal LAN, they are seldom updated, meaning that any vulnerabilities identified and fixed by the manufacturer may not be patched on end devices in the field,” Jeanquier says.
“Multi-functional devices are, in most cases, the last servers that have been left on the shop floor in most enterprises,” Taylor concurs. “In some companies they are the biggest part of IT spend that sits outside of the IT budget and are too easily viewed as being an everyday part of the office landscape, despite the massive amounts of sensitive data that they both hold and process. There is a tendency to underestimate the risks of printers because they are a familiar part of the office.”
Greater Functions, Greater Risks
A familiar part of the office they may be, but gone are the days when office printers were simple devices that merely churned out documents and did nothing more. Most corporate printers are now capable of storing large amounts of information in print queues and hard drives, scanning and sending documents of all kinds, receiving emails and have processing capabilities akin to servers – not to mention network, internet and cloud connectivity and protocols enabled by default. That not only makes them a more attractive target for attackers from a data perspective but, due to unsecured vulnerabilities, a more openly exploitable one.
“Printer manufacturers have implemented an increasing number of software features that are intended to be useful, but also bring with them new attack paths via weak network services or even browser-based applications,” says Jeanquier.
The public hacking exploits of Balmas and his colleague at DEF CON were a prime example of how “features and functions in these devices – such as fax capability – are easily overlooked, yet can be targeted by criminals and used to take over networks to breach data or disrupt operations.” What’s more, whilst it was just the work of researchers seeking to do good, the types of vulnerabilities unearthed were very real and, in the wrong hands, have the potential to cause catastrophic damage to enterprises of all sizes.
The Threat is Real
As Balmas points out, the simple method they used to compromise the OfficeJet all-in-one inkjet printer could easily be manipulated to launch “any type of malware or exploit” – ransomware, spyware, cryptominers – and spread full malicious payloads to the connected network. “Depending on how that network is protected, the damage could be severe and widespread.”
Brasher is also quick to warn of the real-world implications of business printers that are open to the network and have complex (and subsequently vulnerable) operating systems. “This isn’t theoretical, it’s an attack vector that hackers have already used successfully,” he says. “A 2017 study by analysts Quocirca found that 61% of all businesses surveyed had experienced at least one printer-related data breach.”
Even if the data going through a device is secure, adds Taylor, components within the device can potentially be exploited for other purposes. “Endpoints [such as printers] are still targeted because they continue to produce results,” he says. “It may seem trite to suggest that it’s easier to exploit a device that either can’t be secured or has been badly configured, but it’s a fact.”
Solving the Problem
So what needs to be done to address an enterprise security problem that appears to have existed for far too long but is yet to be effectively addressed?
For Taylor, the responsibility first lies with manufacturers, who have a significant part to play. “They have an obligation to provide endpoints that are fit for purpose, secure and with privacy built in,” he argues.
Jeanquier echoes similar sentiments, adding that “manufacturers should consider adopting a ‘less is more’ mindset when deciding what network services to implement, prune antiquated services that customers are unlikely to ever need and mitigate initial risks by having such services disabled by default.”
Businesses themselves must also bear part of the responsibility too, argues Balmas, and it is “critical that organizations protect themselves against possible attacks by updating their machines with the latest patches and separating them from other devices on their networks.”
A corporate printer is only ever as secure as its weakest link and it is up to the information security team to understand the threat that any device like a printer can bring, Taylor adds. “Organizations need to be aware of the risks that endpoints present and specify the non-functional requirements to address the risk. Cheaper and faster may seem more effective until an insecure endpoint on a device allows it to be used for data exfiltration or as part of a DDoS attack.”
Key things for an organization to also consider include understanding the type of data its printers process, knowing how users interact with them and making the security choice the default (such as badge-enabled printing or secure guest/mobile printing) and deciding how the printer fits into the wider corporate security setup.
In today’s threat landscape, choosing an endpoint device is now a security decision, argues HP’s Brasher: “It means that anyone involved in a hardware purchasing decision – however small or large – will have an influence on the security posture of the business.”
“Ultimately, security is everyone’s responsibility and enterprise-wide security awareness goes a long way in solving the security issues that are familiar in the day-to-day,” Taylor concludes