Printers are under the security microscope again. Printers are IoT devices that sit on the network and never get updated. I have covered some of the problems that printers cause a number of times on the Bach Seat. And now more vulnerabilities have been identified by UK-based security consultancy NCC Group in six popular enterprise printers.
Vulnerabilities in printers
The research team was made up of Daniel Romero, managing security consultant and research lead, and Mario Rivas, security consultant at NCC Group. They identified several classes of vulnerabilities in printers including:
- Denial of service attacks that could crash printers;
- The ability to add back-doors into printers to maintain attacker persistence on a network.
- The ability to spy on every print job sent to vulnerable printers.
- The ability to forward print jobs to an external internet-based attacker.
Matt Lewis, research director at NCC Group told ComputerWeekly,
Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT.
Who to blame
There is plenty of blame to share for most of these latest vulnerabilities. Mr. Lewis says the manufacturers are causing these problems by neglecting to build security into their products.
Building security into the development life-cycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.
End-users have to take some of the blame as well according to NCC Group
Corporate IT teams can also make small changes to safeguard their organization from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides, and regularly updating firmware.
Impacted printer models
The printers tested by the researchers were from HP, Ricoh, Xerox, Brother, Lexmark, and Kyocera.
The NCC Group found vulnerabilities in HP (HPQ) printers. The Color LaserJet Pro MFP M281fdw printers have buffer overflows, cross-site scripting (XSS) vulnerabilities, and cross-site forgery countermeasures bypass.
HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. “HP encourages customers to keep their systems updated to protect against vulnerabilities,” the company said in a statement.
The vulnerabilities in Lexmark CX310DN printers NCC Group found include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.
The NCC Group found Vulnerabilities in Kyocera (KYO) Ecosys M5526cdw printers. The security holes include buffer overflows, broken access controls, cross-site scripting vulnerabilities, and lack of cross-site request forgery countermeasures.
NCC Group identified stack buffer overflows, heap overflows and information disclosure vulnerabilities in Brother (6448) HL-L8360CDW printers.
The vulnerabilities reported in Ricoh (RICOY) SP C250DN printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures, and hard-coded credentials.
NCC Group claims the Xerox (XRX) Phaser 3320 printer vulnerabilities include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.
All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network … While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.