At the beginning of this month, I posted a note here about a security vulnerability that had been discovered in the firmware update process for HP laser printers. Even though the company disputed some of the findings, the key lesson was clear: printers, along with many other devices, now contain sufficient computing capacity that they can be attack targets in their own right.
Daniel Wesemann, one of the volunteer handlers at the SANS Internet Storm Center [ISC], has a new diary post on printer security. As he points out again, many modern printers are much more capable devices than the “dumb” printers many of us grew used to.
Most office printers aren’t just printers anymore. So-called MFPs (Multi-function printers) have taken over, and they contain permanent storage (a hard drive, usually), a fax modem, etc
Many of these devices retain copies of recent print and fax jobs, and have interfaces that can be used to retrieve copies of those jobs over the network; and the devices often come with the usual sorts of insecure default configurations, unnecessary protocols enables, and stupid default passwords.
As Wesemann points out, the ISC is currently conducting an informal poll of its readers on printer security, asking the question: Do you monitor or otherwise secure your printers in your environment? At the time I’m writing this, there have been ~500 replies. About 57% of the respondents answered “NO” — not a particularly encouraging result for the security minded.
This is not entirely surprising. As I’ve remarked before, the basic problem is that many people still don’t think of these devices as requiring any sort of security attention. Often, if the subject is raised, they will think of potential threats as being someone sending a garbage print job that uses up all their paper or toner. That these machines are small computers that can also produce output on paper has not yet shown up on many user’s radar.
The ISC article also has some sensible suggestions for securing the printers in your environment.