Who would have thought that printers would be a practical threat vector? I didn’t until it was pointed out to me, at which point palm meets forehead because it is unbelievably obvious!! Every single office I’ve ever worked in has MFPs, Multi Function Printers, which allow you to scan, email, fax, photocopy and even print.
What’s the hype?
There were lots of silly quotes in the news on this vulnerability, which had been specifically linked to HP printers:
Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? [Ed: No] – MSNBC, 29 November 2011
What’s the reality?
I’ll skip over the technical nitty-gritty of it, because its tedious, but essentially patches and updates were being installed without being validated as having come from HP. Would you install an application that randomly started downloading to your computer? Probably not, but unlike these printers you can make a choice. They’re just responding to a correctly formed instruction.
As HP said, they’re printers all have thermal cutouts which are electromechanical switches and can’t be remotely hacked.
What’s the threat?
It’s not fiery printer death. What it actually is, is far more insidious. Imagine if you could copy every scan or print from any printer. If you could do this at a bank, you could get transaction details, sensitive deal information, HR records… The list goes on, and the scenarios are infinite.
This sort of attack lets you copy anything and everything from any infected printer.
As an aside, lots of businesses have shifted to proximity printing in part for security reasons. Proximity printing makes you stand by the printer while you swipe your access card to make it print out whatever you had sent. Hopefully stopping anyone else from getting your prints, and the obvious risks involved with that.
What can you do?
This is tricky… As the video goes on to say, what we’re dealing with here are Embedded Systems and they are typically running bespoke operating systems. Or more accurately they are simply state machines that respond to various inputs/scenarios and respond, I would imagine they’re written (at least in part) in C because of their need to interface and manage control systems.
The answer is, as with all security problems, defence in-depth. You need to protect the network, the print server and the clients.
Going more technical here, so escape now while you can…
In a properly configured enterprise network it would be sensible to restrict the physical port that the printer is connected to allow only connections from the print server over established ports. This would make scanning the network pointless, and reduce the attack surface.
It also makes sense to use IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) to look at the network traffic, these are generally updated quickly and can address threats of this nature faster than manufacturers can develop patches.
The usual bits and pieces are needed here! Print servers should be running patched operating systems, have current antivirus and in Windows environments should be using AD to validate users.