Printers are hackable – so why aren’t bosses protecting them?
Protecting your ink machines may not seem like an attractive idea, but they can be hacked just like any other device. Company executives seem woefully unaware of this fact, a blind spot that could cost them dearly if left unchecked, a cybersecurity author and analyst has warned.
Mathieu Gorge, founder and CEO of digital risk-management company VigiTrust, has a problem. He realizes that smart printers are a gaping hole in many of his clients’ cyber defenses, but not all of them do.
“I think it's sexier to secure a fleet of 10,000 remote laptops and devices than it is to secure 200 printers, you know?” he tells me. “There are a lot more solutions out there for traditional endpoint security than for printer security.”
This despite the fact that a typical smart printer manufactured today will have the same hard-drive capacity as a laptop made two or three years ago, and most likely be used to print and scan sensitive documents on a regular basis. For the past decade, Gorge has been trying to raise awareness among businesses and other organizations of the increasing threat unprotected printers pose to their cyber defenses.
“I was part of the Secure Printing Initiative, and the whole idea even back then was that printers are vulnerable – because a lot are multifunctional and kind of the forgotten assets of the ecosystem,” he explains. “They have a lot of data. Because when you're about to sign a big contract or review a technical specification, what do you do? You print it, because you want to look at it, make notes, and so on. And so all of those documents end up being printed, but the printers themselves are not necessarily secured – anybody can replay a job.”
Naturally, advances in technology have only made online printers an even more tempting target for ransomware criminals and other threat actors, a problem exacerbated by the ease with which they can be flagged. Just the other day, Gorge ran a simple Google search that revealed the publicly listed internet protocol (IP) addresses of hundreds of unsecured machines.
“Most of the new multifunctional devices allow you to scan to fax, scan to email, and do a lot of different things between document capture and printing,” he says. “So they become the Trojan horse of the IT inventory. Because they're not really looked at. Everybody talks about endpoint security, they want to secure mobile phones, laptops, iPads, and so on. But the printers also need to be part of it.”
There are high-tech security measures in place to help secure sensitive documents that need to be printed, Gorge assures me, but executives aren’t always aware of them. For example, Follow Me printing allows you to travel from, say, Dublin to New York without printing and carrying valuable documents on your voyage – instead you send them to an IP-enabled printer in the office you are traveling to.
“I've got an authentication card, and when I get to New York, the job is there, encrypted, and only I can print it,” says Gorge. “That's not new technology, it's been there for ten years.”
Clients are at risk
This complacency regarding printer security among executives could have a spillover effect, harming not only businesses but their customers too, by exposing their personal details to cybercriminals.
“If you look at payments by credit card, or somebody that's filling out a loyalty card and sending it back in the post, that document arrives at the sales and marketing division of the company, and they scan it to email,” says Gorge. “You end up with multiple copies of credit-card holder data. It's on your printer, email server, back-ups, everywhere.”
Private- and public-sector organizations are not mapping their data ecosystems thoroughly enough, he warns: “you need to include the printing and document capture environment. That is not well covered in standards and regulations.”
This lack of oversight could potentially expose medical records at hospitals, and allow cybercriminals to forge or tamper with insurance contracts and public-sector-issued documents such as TV or driving licenses.
“Imagine if I was able to hack into a printer and print a certificate of insurance for cars, for instance,” says Gorge. “That would actually not be faked, it would look so good – all I would have changed is the registration, the license plates. That can be done.”
“Hospitals are also at risk. Not everybody in the health service should be able to print the results of my blood test. It should be limited to my practitioner and maybe his assistants or the lab, but it shouldn't be a free-for-all. If somebody steals my credit-card details I can get another within two days, and I will most likely get the money back. If somebody messes with my health data, I only have one set. It's unrecoverable.”
How to guard against printer-jacking
Speaking with Gorge puts me in mind of an experiment our own research team at Cybernews ran a couple of years ago. Our investigators used the specialized internet-of-things (IoT) search engine Shodan to locate thousands of unsecured printers, hacking into 28,000 machines. The operation was firmly in the white-hat camp – our researchers made the compromised machines print out a document informing the owners that they had been hacked, advising them to beef up their defenses.
But, of course, not all hackers will have good intentions, so I ask Gorge what steps decision-makers should take to secure their printer networks.
“First of all, your smart printers should be behind a firewall, and only the correct traffic should go to and from the smart printer,” he explains, adding that documents should be automatically wiped from a printer’s memory every few minutes. “So unless it's Follow Me printing and it's waiting for someone and fully encrypted, it's purged from the printer's memory so you can't replay it.”
Next up is a strict access policy, which executives need to implement for printers just as they would for servers or cloud applications. “Some people will just be able to print, some print and scan to fax and email – others will only be able to print documents if they use the Follow Me feature because the data they have is too sensitive,” explains Gorge. “You then put in the right technical measures – two-factor authentication, file integrity software. If I am trying to scan a document to email when it's not within my profile, you can stop that or raise an alert. Am I scanning confidential information, do I need to do that? So it's really on a need-to-know basis.”
To help raise awareness among bosses and persuade them to take printer security more seriously, Gorge and his team will even run “bait traps” using bogus documents, to demonstrate how readily workers will print something they shouldn’t have access to if it piques their interest.
“One thing that works really well is to print a fake list of salaries,” he says. “We've done a lot of events for clients where they just need to understand what's happening with the printers, so we put a job in the queue that says Executive Salaries – and you'd be surprised how many people print it! It's completely fake, of course.”
Do not ignore this blind spot
But what would Gorge say to employers who raise the concern that restrictions created by tougher security measures will hamper their employees at work, leaving them feeling stressed out and disgruntled?
“Obviously, there's always friction when you try to limit people's ability to use features,” he acknowledges. “But at some stage, you need to make a call as to what actually matters to the business. It's a blind spot. It's not new, but what is new is that the printers are wireless – and they're everywhere. Whereas before you needed to hack into the system to find the printers, now they actually advertise themselves – so you have to raise awareness.”
Unsurprisingly, cyber gangs do not need much technical expertise or investigative knowhow to exploit these self-promoting vulnerabilities.
“I am sure there are lists of more protected printers available on the dark web, but for other printers, you actually don't need anything – they are just so open, it's crazy,” Gorge stresses. “And that's one of the other things – the skill level of the attackers is going down, they don't need to be experts. They don't even need to be that technical, it's that easy to find.”
In closing, Gorge cites a “grief paradigm” he outlined in his book The Cyber Elephant In The Boardroom, detailing the five steps decision-makers take towards realizing they have a cybersecurity problem and taking the necessary action to rectify it: “First stage is denial, then comes anger, then bargaining, then depression, and finally there’s acceptance – that it’s just one of those blind spots that we didn’t cover, and we need to. It’s not rocket science, you know?”
More from Cybernews:
Subscribe to our newsletter