Though rarely discussed in a cyber context, the prevalence of connected printers and MFPs poses security risks both technological and physical. What does a print security strategy need to take into account?
“Zo lek als een mandje – As leaky as a basket. Data has been exfiltrated from tens of the country’s leading organisations – big name multinationals, airlines, banks and government intelligence agencies. Tonight, the details of how they were hacked can be seen on national television as we reveal the role of the humble printer in leaking the country’s secrets.”
This headline-grabbing trailer, or at least a version of it, appeared in 2012, in Dutch, as a major TV channel hacked printers and hard disks of the employees of those organisations in their own homes. Not only did this reveal vulnerabilities common across internet-enabled printers, but also how much corporate data lived in people’s homes.
Since that time, printers have proliferated and evolved into complex pieces of hardware with storage, wired and Wi-Fi connections, while the paperless office has proved to be nothing of the sort – and like any network attached device, it can become vulnerable.
In 2018, YouTuber PewDiePie gained notoriety when vulnerable printers across the world printed out unsolicited messages in support of his campaign to become more famous. It worked, but also showed the extent of the problem.
So, while we have all experienced that heart-stopping moment when we realise that we left that super confidential document in the printer tray, it is in its guise as a network device that the printer truly reveals its alter ego. Printers, or – more correctly – multi-functional devices (MFD), are effectively a shared computer with high capacity and relatively open network connectivity – after all, we might still need that fax.
MFD’s are often leased on a plug-and-forget basis and not managed as part of the IT asset inventory. As a consequence, they rarely get a security patch, making them an enduring weak spot on many corporate networks. Given the relatively high cost of an MFD, they are also used sparingly and shared across different network segments, effectively bridging those networks and undermining any air-gap.
Yet this should not come as news. We are used (or at least should be) to having unmanaged vulnerable devices on our network. They usually have the word ‘smart’ in front of them and take the form of coffee machines, office assistant speakers, door-bells and fridges. We know that these can be soft spots in our network security strategy, and we know the techniques that can help, such as microsegmentation and signal discovery tools.
If, as the original Dutch article claims, the printer is “as leaky as a sieve”, then perhaps we should acknowledge that it is leaky and must be managed the same way as other leaky or vulnerable devices, making the corporate network more like an Internet of Sieves.
The humble printer is here to stay, and the magic of paper and the printed word should be reward enough.