Interview

Should network printers be patched?

Editorial staff
I've read that network printers are becoming an attack vector. To what extent is this true, and are special defenses or actions needed to ensure printers aren't a weak point on my network?
You are correct: printers are a juicy target for several reasons. First off, they often store sensitive documents in their print spool. Printers are often combined with a document scanner, too, and docs are often stored in the scanning archive for far longer than most people expect.

Second, combination printer/scanner/fax machines are increasingly sophisticated, and they have general-purpose computers installed inside to control all of the action. Attackers can access printers in several ways, such as a modem, wireless access point, or through a jump-off from spyware-infected desktops. After gaining access, they can use this power to hit other machines on your internal network.

Thirdly, Windows and Linux systems are often built into many modern printers. Because these computer controllers get little hardening and patching attention, they are often vulnerable.

Fourthly, most printers have unfettered access to an internal network. Thus, an attacker who compromises a printer can scan all over for exploitable systems.

Finally, security personnel often don't monitor or give such devices much attention because, after all, they are "only printers." This last perspective is quite unfortunate.

So, what can you do? First, harden your printers. Shut off any unneeded services

    Requires Free Membership to View

that the printer offers, such as File Transfer Protocol (FTP). Most organizations do not need FTP access to their printers, and it can often cause more harm than good. For instance, some printers allow an attacker to make FTP requests and take jobs off of a print spool anonymously. Also, many FTP services on modern printers are subject to FTP bounce attacks. With a tool like Nmap, an attacker can obscure the source of a port scan, convincing a compliant FTP server to allow proxy FTP connections. For more details on these types of bounce attacks, check out the great write-up by Fyodor, the author of Nmap. While such FTP bounce scans are old techniques, I have found that a remarkable number of brand-new print servers are susceptible to such attacks.

Next, shore up the management protocol used for the printer. Most modern printers support some sort of management via HTTP and/or HTTPS, and a few even support Telnet or Secure Shell (SSH). Carefully choose a management protocol that provides encryption, like HTTPS or SSH.

By default, most printers allow admin access with either no password or a widely known default one. Change the password to a value that is more difficult to guess.

Lastly, make sure that your printer doesn't have wide-open access to the rest of your internal network. Consider putting your printers on their own private VLAN. Filter access to that LAN so that the printer can receive print jobs, but not initiate connections to any other systems. Going further, if you have the budget and the time, you can even put a firewall in front of your printers to really limit access to and from them.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: