Should network printers be patched?

Security personnel often don't give network printers much attention; after all, they are "only printers." In this Q&A, Ed Skoudis explains why such devices are, in fact, a juicy target and need to be properly patched and hardened.

This Content Component encountered an error

I've read that network printers are becoming an attack vector. To what extent is this true, and are special defenses or actions needed to ensure printers aren't a weak point on my network? You are correct: printers are a juicy target for several reasons. First off, they often store sensitive documents in their print spool. Printers are often combined with a document scanner, too, and docs are often stored in the scanning archive for...

far longer than most people expect.

Second, combination printer/scanner/fax machines are increasingly sophisticated, and they have general-purpose computers installed inside to control all of the action. Attackers can access printers in several ways, such as a modem, wireless access point, or through a jump-off from spyware-infected desktops. After gaining access, they can use this power to hit other machines on your internal network.

Thirdly, Windows and Linux systems are often built into many modern printers. Because these computer controllers get little hardening and patching attention, they are often vulnerable.

Fourthly, most printers have unfettered access to an internal network. Thus, an attacker who compromises a printer can scan all over for exploitable systems.

Finally, security personnel often don't monitor or give such devices much attention because, after all, they are "only printers." This last perspective is quite unfortunate.

So, what can you do? First, harden your printers. Shut off any unneeded services that the printer offers, such as File Transfer Protocol (FTP). Most organizations do not need FTP access to their printers, and it can often cause more harm than good. For instance, some printers allow an attacker to make FTP requests and take jobs off of a print spool anonymously. Also, many FTP services on modern printers are subject to FTP bounce attacks. With a tool like Nmap, an attacker can obscure the source of a port scan, convincing a compliant FTP server to allow proxy FTP connections. For more details on these types of bounce attacks, check out the great write-up by Fyodor, the author of Nmap. While such FTP bounce scans are old techniques, I have found that a remarkable number of brand-new print servers are susceptible to such attacks.

Next, shore up the management protocol used for the printer. Most modern printers support some sort of management via HTTP and/or HTTPS, and a few even support Telnet or Secure Shell (SSH). Carefully choose a management protocol that provides encryption, like HTTPS or SSH.

By default, most printers allow admin access with either no password or a widely known default one. Change the password to a value that is more difficult to guess.

Lastly, make sure that your printer doesn't have wide-open access to the rest of your internal network. Consider putting your printers on their own private VLAN. Filter access to that LAN so that the printer can receive print jobs, but not initiate connections to any other systems. Going further, if you have the budget and the time, you can even put a firewall in front of your printers to really limit access to and from them.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: