Endpoint

10/16/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Printers: The Weak Link in Enterprise Security

Organizations frequently overlook printer security, leaving systems exposed to malware and theft. New tools aim to lessen the risk.

PC security has become a priority for security leaders following global ransomware attacks earlier this year. If they didn't before, everyone from CISOs to everyday consumers knows it's a bad idea to ignore security updates or use simple, breakable passwords.

This heightened awareness does not extend to printers, however, and hackers are exploiting poor printer security practices.

"Unlike PCs, where there's a full appreciation for the need to secure those devices, there's much less awareness to the need to secure print devices," says Ed Wingate, VP and GM for HP's JetAdvantage Solutions, noting that strong security practices for protecting PCs and other nodes on the network are not consistently deployed to printers.

Weak link in the IoT

Sam McLane, who runs the security engineering team at Arctic Wolf, says he is far less concerned about today's printers than about yesterday's printers. Many organizations, especially smaller ones, use printers around five to eight years old, and haven't updated them.

"Printers, specifically, have a much longer shelf life than any of the other IoT devices, and they were the earliest of the adopted devices," he explains. "People will run them into the ground and then some before they start replacing them."

This poses an especially big problem to small offices using consumer-grade devices, McLane continues. SMBs don't have the need or budget for high-end enterprise level printers, and make the mistake of sending corporate data into the cloud with lower levels of protection on a device meant to be in someone's house and not necessarily in a corporate environment.

"Someone could get into a computer via malware; printers advertise themselves well," says McLane. "If a laptop or desktop gets compromised, a printer is a great spot to put malicious code that everyone talks to … it's a built-in platform to launch attacks."

Common printer slip-ups

Most frequent mistakes include employing weak or default passwords, and neglecting to update firmware. "Printers are not always updated with the latest firmware," HP's Wingate adds. "In fact, we see heavy use of old firmware with printers, some with known vulnerabilities that are not being patched to the latest version. That represents an opportunity for hackers to come in."

Mismanagement of printer settings and ports leaves the door "wide open" for remote entry onto devices and into corporate infrastructure, he continues. Lack of active monitoring for printers also leaves businesses vulnerable to unauthenticated actors.

When overlooked, these errors can put full organizations at risk. Earlier this month, security researcher Ankit Anubhav found nearly 700 Brother printers exposed online, granting full access to their administration panels over the Internet. Devices on university, corporate, and government networks could be found via IoT search engines like Shodan and Censys.

One of the factors behind this exposure was the decision to ship printers with no administrative password. Researchers believe most businesses likely connected vulnerable machines to their networks without recognizing their administrative panel was exposed.

Vendor responsibility

As Wingate points out, it's not enough to simply protect a network from initial penetration. Firewalls are helpful "but not sufficient," he explains. CISOs must assume their network has already been breached and ensure there is no lateral attack on the network.

"What we've discovered in our research is that certain malware packets are able to enter the network by being sufficiently small and low profile - effectively entering under the radar," he explains. Once inside, it needs to contact the master command-and-control server to know what to do next. The way it does this is characteristic of that type of malware attack.

HP is addressing modern printer risks like this with a tool called Connection Inspector, which analyzes outbound network connections typically targeted by malware. It detects anomalous behavior and, if necessary, triggers a reboot to go back to a known version of the BIOs. This accelerates response speed, Wingate says, which is important given the security skills gap.

"If you have a human in the loop, who needs to be notified that there's a malware penetration, and he or she delays the response on solving the issue that undermines the security of the entire network," he explains.

Other new tools aim to improve security amid cloud growth and the rise of remote work. HP Roam, a Pull Print solution built in the cloud, lets mobile workers hand off documents and print them, then erases the job off the printer once the job is complete.

"Whether it's a sales rep in the field, an insurance agent, or any other 'road warrior' in the field, they sometimes must print," says Wingate. "And if they're not at home, and they're rarely at the office, where do they securely print? They don't securely print."

[Hear Arctic Wolf's Sam McLane discuss "Targeted Attacks: How to Recognize Them From the Defender's Point of View" at the INSecurity conference at National Harbor, Md., on Wed., Nov. 29. Register here.]


Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olaf Barheine
50%
50%
Olaf Barheine,
User Rank: Apprentice
10/23/2017 | 4:32:10 AM
Wow!
I think I should switch my old printer from RJ45 to USB. A security test with NMAP showed that it's open like a barn door. And new firmware is not more available.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/22/2017 | 10:53:24 AM
Re: A simple google search
Even beyond Google, there's Shodan for finding exposed embedded devices -- printers and otherwise. Security researchers have relied on Shodan quite a bit to pull off some interesting research/exposes.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/21/2017 | 3:35:53 PM
For years
This has been an issue for quite a number of years, unfortunately. Printer vulnerabilities -- either because of poor enterprise practices or because of manufacturers not paying enough attention to their products -- really brought some attention the security weaknesses of embedded devices before the proliferation of IoT. Too bad manufacturers and enterprises didn't listen.
glennjdavis
50%
50%
glennjdavis,
User Rank: Apprentice
10/20/2017 | 7:34:49 AM
hi
hi
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/17/2017 | 7:43:51 AM
A simple google search
Years ago there was published a simple, extended search string for Google that browsed the internal web page of millions of Officejet printers.  Fantastic.  Tried it and the pages were displayed along with internal IP settings which, for a hacker, is an open door.  I did not purposefully remember it but I am not surprised that printers are a wide open door.  
AlyssaTallent
50%
50%
AlyssaTallent,
User Rank: Apprentice
10/16/2017 | 11:49:53 AM
Great
Ohhh that is pretty interesting 
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.