In June, numerous universities, local businesses and churches woke up to unauthorized print jobs on their printers and fax machines that said the following:
I’ll be brief.
I installed several explosives in the building.
If you do not send in the amount of $25,000 by May 31st I
will blow up this whole block.
If you try to contact the police, I’ll know.
I also have access to your computers and email addresses.
Go to the nearest WesternUnion agency and send the
amount to Emerson Eduardo Rodrigues Setim. The pass-
port number is FO645170. It’s a brazillian passport. The city
that the money will be withdraw is Chicago, Illinois, USA.
Do As I say and no one will get hurt.
PS: I repeat, if you try to contact the police i will know.
Although this turned out to be a hoax and the threat wasn’t credible, it shows that the security landscape is constantly changing. Just relying on building security or network security may not be enough.
Institutions such as Vanderbilt University, the University of Virginia and Shiloh Missionary Baptist Church were targeted by the scammers who exploited the open ports of printers that were connected to the Internet. Such a setup allowed anyone who connected to those printers’ IP addresses to print to them. In most cases, it was Port 9100, the printer’s default printing port.
Printers Have a History of Vulnerabilities
Printers have faced security issues since the inception of LaserJet products in the late 1980s. The problem received more attention in the late 1990s with the advent of networking combined with embedded web servers and vulnerabilities in PostScript and Printer Job Language (PJL) processing.
As products morphed into multifunction printers that can print, copy, scan, fax and more all in one device, the threat vectors expanded and became more challenging. Today’s multi-function printers (MFPs) can be used as file servers, they can send emails and they can act as DHCP servers with the capacity to hold large data sets.
As products morphed into multifunction printers that can print, copy, scan, fax and more, all in one device, the threat vectors expanded and became more challenging. Today’s multi-function printers (MFPs) can be used as file servers, they can send emails and they can act as DHCP servers with the capacity to hold large data sets.
Today’s MFPs are sophisticated computing devices, according to the Federal Trade Commission (FTC). It is estimated that 61 percent of organizations have reported at least a single print-related data breach in the past year.
Modern MFPs face a range of threats and vulnerabilities including:
- Unauthorized access to print data: This includes someone walking over to the printer and accessing documents belonging to someone else.
- Unauthorized configuration changes: Unauthorized users change the printer configuration to route the print jobs elsewhere.
- Print job manipulation: This may include replacing the print content with something else or inserting new content in the print jobs, deleting logs to interfere with repudiation or other activities.
- Print data disclosure: This includes accessing the print data from memory, the file system and memory, print jobs and from hard drives when printers are decommissioned.
- Printer as an attack point: A compromised printer can be used to attack other applications, execute arbitrary malicious code or attack other systems (e.g., to launch a denial of service attack on the printer/network).
- Cloud printing risks: The inherent risk in cloud printing is that the print job is rendered on public infrastructure and sent to a printer using something like Postscript. This approach can be susceptible to man-in-the-middle attacks or someone trying to gain access to an enterprise network through cloud printing channels.
The June printer hoax shows how these threats can be complicated by a variety of additional factors:
- Smaller organizations not having enough IT staff to manage and monitor every print device, leaving most printers with default configurations.
- Most security efforts are focused on perimeter security and network security, while security of other business systems often falls behind.
- Traditional secure print capabilities rely on users entering username and PIN to release their print jobs, thus creating a cumbersome end-user experience. In a campus environment, such deployment is a non-starter because of the volume of students and print jobs.
Wireless printer connections also impact security. In addition to inheriting all the above risks, wireless printing opens up new avenues for the attackers. With Wi-Fi, an attacker can carry out such proximity attacks as getting the printer to connect to a malicious network and then execute harmful code while being outside of the walls.
Risk Reduction Begins with Knowledge
How can campuses prevent incidents like this and improve printer security both in terms of security tools and practices as well as human behavior?
First, it is important to understand an organization’s users, their needs and what capabilities they desire from their printing systems. Today’s students, for instance, are more interested in convenience than privacy and security, so the latter needs to be met while still addressing student expectations.
Second, as the FTC recommends, IT security plans cover digital copiers and printers. The MFPs should be configured properly to ensure that no default setting can be exploited. Since modern MFPs have a web interface for configuration and control, it is important to set a strong administrator password at deployment.
Administrators should also ensure that the printer is only accessible by campus IP addresses and that they have disabled all unnecessary services such as FTP, Telnet and other network and discovery protocols.
Additionally, printer security should be included in the security policy and employee training procedures, and the organization should establish a regular schedule of audits and firmware updates, and secure (and patch) printers according to manufacturer’s recommendation. Look to invest in solutions like secure printing that not only provide convenience but also enhance security.
A step further will be to make the MFPs identity-aware. Using location and user authentication, it can be ensured that the print data stays away from the prying eyes. Identity-aware systems handle today’s challenges much more effectively than traditional practices and will continue to do so going forward.
Printers Must Adapt to Future Trends
It is necessary to ensure that the platform capabilities built today will be applicable tomorrow. Any investments that are made in printing solutions must take into account future trends in authentication and printing.
For instance, a recent study estimates that 48 percent of the users expect mobile devices to be the main form of ID in next five to seven years. With this trend, it is important to ensure that print platforms can identify the authorized users using a variety of form factors, including cards, mobile phones and wearables.
Additionally, it is critical that increased security doesn’t come at the expense of convenience. The next generation of students expects everything to happen instantly, and any experience that does not meet that expectation will be rejected. This is one of the greatest benefits of a secure, identity-aware print solution.
While the campus could combat threats by forcing students to connect to the university network using a virtual private network (VPN), this is inconvenient and generally negates the ability to print on demand or from handheld devices and cloud storage. But with a secure, identity-aware print solution, users can authenticate themselves to any printer on campus and take advantage of everyday devices like mobile phones and wearables.
There is no silver bullet or panacea to address the new threats, but a conscious security policy and identity-aware printing systems can address most of today’s challenges while paving the way for new capabilities. With the right platform in place, administrators can reduce their privacy and security risks today and in the future, while continuing to enhance the user experience.