If you don’t have the context, read my previous post on comparing printers to VoIP—i.e., it’s another computer on our network.
Now that you are in the right mindset, look around your office and see if you see a printer sitting somewhere. It might even do copies, scanning, and faxing. Super fancy ones might even connect to WiFi networks to make things easy for interoperability. So many of them have hard drives in them for document storage, logs, configuration, and the operating system that powers the device itself. When is the last time you upgraded the operating system on that printer? Are you using a default configuration or have you locked down all the things you don’t need? Better yet, I’m sure you wiped and re-imaged it, right?
Are you panicking yet? You should be.
Printers, like VoIP phones, are just another computer masquerading as something else—in this case, a device that turns electronic documents into paper, or vice versa. If it’s not locked down and configured securely, it’s going to get hacked.
How Bad could it Be?
So I’m sure you are now thinking that it can’t be that big of a deal, right? Let’s look at some of the ways this could end up being a really bad situation.
- Modification of Jobs: You are sitting at your desk and you hit print on the 30 page contract to sign and then courier to a new supplier. But while enroute to the printer, terms or pricing are changed. You sign and ship.
- 3D Printing Too: Perhaps someone modifies the specs for the body parts or surgical items you need to fix an ailment. Or the specs to a rare part altered to ruin a shipment?
- Data Leakage Nightmare: How many scanned/printed documents are saved locally on that hard drive? Could those documents have valuable information on them to an attacker? How many executives do you work with that still have emails, documents, or calendars printed out every day? What about the specs for some of those engineering parts that you may print out for production?
- Printing Disruption: DoS against printing can bring certain businesses grinding to a halt. I know this because I once crashed every print server in a hospital during a security test, stopping the ability to print ANYTHING.
- Attack Launching Point: Probably the worst one is the ability to score some lateral moves as printers may be more exposed and trusted than they should be.
What do do?
Now that your heart is racing like you just sprinted across the park, there are a few things you need to do to ensure your printers are not an attack launch point inside your organization.
- Include them in your penetration testing and red team efforts. They should be a target just like anything else.
- Re-image printers before putting them into production to leverage a clean OS build with the configurations you need only for your organization.
- Be sure you can update the operating system once new patches are released.
- Segment them into their own network and leverage technologies like DLP and FollowMe Printing to track document movement.
Any tips of your own for reducing the risk associated with printers? Drop them in the comments!Disclosure: This post is sponsored by HP, Inc.