Printers are a Modern Hacker’s Delight for Ransomware and Malware

Chris Wahl · Posted on

Printer Security. Two words I had never put together in any meaningful way until attending an open house sponsored by HP Inc to help educate bloggers on one of the many ways that hackers are able to penetrate the enterprise. Seeing as how I’m not a security professional by any meaningful measurement, this full day of keynotes, presentations, and live demos blew my mind. In this post, I’m going to share all of the interesting tidbits I’ve learned with you in hopes that you can find value in your organization.

The backdrop for Michael “MafiaBoy” Calce to discuss his thoughts on modern hacking.

What the Heck is Printer Security?

Good question, and certainly one that I had when I started my day at the HP Print Security Blogger Open House. But first, let’s take a step back. Printers are everywhere. Most companies have one printer for every ten employees. That means a 10,000 person company could potentially have 1,000 printers sitting stalwart in the office halls.

Back when I started in IT and was first tasked with deploying printers, they were directly chained to a desktop computer by way of parallel cables. If you wanted to print something, you either had your own printer directly attached, used a (very expensive) print server device, or simply shared your printer via the network as a tethered resource. In summation: I didn’t spend a lot of time thinking about printers as anything more than an output device. I also don’t use them very often: I prefer electronic copies as I’m sure most techies do. 🙂

Fun fact: the Gibson was actually a multi-function printer (OK, not really)

Today, printers are almost always hooked directly into the LAN. They also have wireless adapters, mobile apps, and other “smart apps” that make printing from anywhere in the world extremely easy for the user. Printers come in a plethora of shapes and form factors such as multi-functional printers (MFP), all-in-one (AIO), or Multi-Function Device (MFD). The internal compute power is nothing to sneeze at, and a long list of services are often running for things like FTP, Telnet, and other applications for backwards compatibility with the first generation of printing devices. In reality, these things are servers.

What, then, is the issue? Many, many organizations are letting unmanaged, rarely monitored, full-featured servers sprawl all over the place without any central logging or user authentication. They are on the LAN with high speed links, default passwords (or no password), essentially everywhere that people work. Scared yet? Yikes!

This is the point where it started to sink in for me. While the power of one single device is relatively trivial, a botnet of devices, such as printers, becomes a powerful thing. Especially if there are no logs or authentication to help with forensics after a mess is made. That’s how events like what we saw at Dyn back in 2016 occur.

Some Ideas for the Future

By now, I assume you’re on board with the idea that printers are really just paper-munching servers and should be treated as such by IT Ops. And with this idea, it makes sense to start treating printing devices as managed endpoints with the normal “let’s secure this” attitude. At a bare minimum, I’d suggest:

  • Plug them into your security information and event management (SIEM) system to see information on authentication and access.
  • Grab the logs and shoot them over to a central syslog repository so that, if needed, access details can be audited or reviewed to figure out who’s entering (or attempting to enter) your environment.
  • Actively monitor the devices with the same rigor and fortitude used for production servers.
  • It wouldn’t hurt to use a segregated network, such as a 802.1q (VLAN) tag, to logically isolate print traffic from core server traffic.

There’s also product specific solutions that were highlighted by the very savvy folks at HP: the use of BIOS protection, secure boot, firmware integrity validation, and protected memory to safeguard against malicious code being introduced into memory during operation. These are all part of the HP Pro embedded print security feature suite for enterprise printing devices, which can be managed holistically with the JetAdvantage Security Manager using a policy-based approach.

Need more details? For a deeper dive, Ethan Banks and I plan to sit down with some of the really smart team members that I spoke with at HP during an upcoming Datanauts podcast! Hopefully this post has helped to whet your appetite in preparation for more delightful podcast goodness. Until then, secure your printers!