Cyber Security Risk

Printer and print fleet risk is underestimated, hidden and high. 99% of printers are at risk because of factors such as: 1) a lack of understanding of the unused state of built-in security features and factory reset behaviors, 2) the exposure of unprotected printers from the many threat vectors presented by printers including direct physical access, 3) the risk from the dynamic state of (change in) fleets and 4) the risk from unintended effects of patching.

It only takes one unprotected printer to expose your business to millions of dollars in cost. The risks are high.

Printers’ Built-In Security Features Are Not Being Used, Factory Reset

Printer manufacturers (OEMs”) offer built-in printer security features to address their printers’ threats, but in the field these features are not being used. OEMs ship printers with security features deactivated to provide customers flexibility of use (known as “factory defaults”). But those features typically aren’t activated when printers are placed on corporate networks. The features don’t protect the printers unless they’re activated and managed. These factory defaults create incredible risk for these vulnerable endpoints.

To compound this risk, the standard operating procedure for technicians has been to install printers on networks unconfigured for security and to reset them to “factory defaults” after every maintenance or service call. This “human behavior” can unknowingly undo any hardening that has been applied to the printers. Printers are not being patched even though patches are available. (Printer OEMs have traditionally recommended against patching because of the risk of damage to the printers themselves and the resulting outages.)

This management to factory defaults has now met its match with the exponentially accelerating cybercrime industry filled with criminals constantly seeking to exploit vulnerabilities. To criminals (often state-sponsored enterprises), even one vulnerability on one printer can provide a jackpot of valuable data to steal or a direct on-ramp into a business’ network for ransomware injection or credentials harvesting. Businesses must now act to protect themselves.

Published Hacks of Unprotected Printers

Unprotected printers are the favorite entry point and lateral movement pivot point for criminals. The details of how the criminals gained entry are typically not published. However, the following notable printer hacks highlight how easily criminals can exploit unprotected printers:

Stackoverflowin Hack. In 2017, a hacker named Stackoverflowin launched a massive printer attack compromising over 150,000 printers globally, including well known universities, businesses, and government offices to “raise everyone’s awareness towards the dangers of leaving printers exposed”. He executed his hack running an open script that sent rogue print jobs to the target printers and printed messages. His attack covered varied makes, models and ages of printers. His “scripts targeted printing devices that had IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections (” A Hacker Just Pwned Over 150,000 Printers Left Exposed on Line”, Bleeping Computer, Catalin Cimpanu, February 4, 2017).

PewDieDie Hack. In 2018, a teenager attacker, used the website Shodan.com (a favorite of cyber criminals) and hacked 50,000 printers to print messages promoting his YouTube channel. (“Hacker hijacks 50,000 printers to tell people to subscribe to PewDieDie”, Endgadget.com, November 30, 2018).

CyberNews 2020 Hack. In 2020, CyberNews, a research group, leveraging Shodan.com reported more than 800,000 unprotected printers in their first search, hijacked 28,000 of them and printed a PDF guide on print security to highlight how easily the printers can be discovered and hijacked. (“Nearly A Million Printers At Risk of Attack, Thousands Hacked to Prove it”, Forbes, August 31, 2020, Lee Mathews). TheHacker Giraffe, a hacker quoted in the article, reported that with such unprotected printers “hackers can upload backdoors and recruit them into botnets”. The article continues “The hacker added that attackers could also access recently printed or scanned files that are stored on printers or even brick the devices by causing repeated writes to their onboard chip.” CyberNews wrote “While we were deliberately careful to only target the printing processes of the unsecured printers during the experiment, IoT hijacking attacks – when performed by bad actors without ethical limitations – can cause serious damage to organizations and individuals who neglect printer security”. (“We hijacked 28,000 unsecured printers to raise awareness of printer security”, CyberNews, October 7, 2022).

Anonymous Hacks Kremlin. In 2022, in Russia, the hacking group Anonymous compromised printers in the Kremlin and over 40,000 printers across Russia to print anti-government messages, ransom and create cyberwarfare on Russia, highlighting vulnerabilities in even the most secure institutions (“Anonymous uses printers to disrupt Russia”, The Recycler March 22, 2022; “Anonymous Hacks Into Russian Printers to Deliver Resistance Information”, Newsweek, Thomas Kika, Mar 21, 2022).

Risk of Credentials Harvesting

When thinking of cyber risk associated with printers, businesses often overlook the extreme risk presented by the credentials that each printer stores to access the other enterprise systems that it is connected to and utilizes. These credentials are typically unhardened and stored as administrator level credentials to the other systems. Bad actors can harvest those credentials and use them to move laterally and undetected.

Examples of the other connected systems include the email system (from scan to email), file share system (from scan to file) and credentials system (from authentication on the printer).

Physical Access Vulnerabilities

Printers, unlike other network endpoints, are unique with respect to physical access. Printers are in accessible, trafficked areas, making them susceptible to physical tampering such as through their open and available USB ports.

For example, if USB ports are not disabled, an employee can unknowingly insert a thumb drive from home that is infected with malware.

The physical access threat is often neglected but represents a significant risk to security.

Change Created Blind Spots

Printers are frequently moved, undergo end-of-life and beginning-of-life transitions, and are swapped and repaired, all requiring automation to monitor and track inventory. Management of network configurations for a diverse and constantly changing print fleet and coordination with various support personnel complicate the implementation and maintenance of security controls. Ensuring that each device remains correctly hardened and patched throughout its lifecycle is a logistical nightmare. All of which are made extremely challenging by blind spots such as non-centralized printer purchasing and management (eg, department level purchasing).

Unsecured External Communications Not Addressed

Modern printers come equipped with “phone home” features that automatically communicate with their manufacturers for updates and support. These features are enabled unless hardened, ie, phone home is a factory default. These remote communications capabilities pose significant risks, because they and other manufacturer service access capabilities, if not hardened, create potential backdoors for cyber attackers to access. If not properly managed, these connections can bypass network security measures, compromising the entire network and business.

Firmware Updates Undoing Hardening

One of the most overlooked risks is the fact that a firmware update can reset all the hardening on the device (and the operational configuration) back to factory defaults leaving it vulnerable. This risk is undetected.

Example: Technician Factory Reset, Passwords

Hardening passwords is a crucial step, but not trivial in establishment or maintenance, without automation. The untracked nature of printer deployments and the typical involvement of multiple support personnel and entities often lead to inconsistent application of strong password policies.

Hardening passwords is further complicated by the industry habit and practice of resetting administrator passwords back to factory default administrator passwords during a service call. These changes re-occur and typically remain hidden without automation monitoring change.

Default, weak, or reused passwords can easily become a vulnerability, undermining the entire security framework.

The further complicate the discipline of password hardening, the passwords to be hardened, monitored and maintained typically include multiple same machine administrator passwords and communications passwords.