Often in our network security presentations we discuss printers as being a prime target for hackers. After a few days of cyber-security demos while at InfoComm 2017, we actually had IT team members from a well know University come up to us and confide that all of their printers had been hacked. In fact they did not know for how long these printers had been compromised. They only learned of the hack when the hacker(s) decided to show their hand; instructing the printers to all print bomb threats simultaneously.
In February 2017, a white-hat (good guy) hacker with the handle "Stackoverflowin" hacked 160,000 printers to "raise awareness" of their vulnerabilities. Using his own automated script, Stackoverflowin detected insecure printers manufactured by a wide range companies, including HP, Brother, Epson, and Canon. He instructed the machines to print a document informing victims of the hack with ASCII art interspersed throughout. Had he been a black hat hacker, he would have never let his presence be known. He would have instead made the printer his remote listening post for all things digital..
But why do hackers like printers so much? Let's unpack this shall we?
A hacker will most likely enter your network from a mobile device or PC (behind the firewall). Usually with a successful phishing attack, infected web link, or previously infected device joining your Wi-Fi. Once the hacker is on your network, knowing that the PC will likely leave the network or shut down in the near future, he/she will look for a more permanent device to set up shop in.
The device they look to hack will meet the following criteria:
1. Reside permanently on the network
2. Have rudimentary to no security
3. Have no antivirus program running
4. Be "up" on the network 24/7
Devices that meet these requirements include most IoT devices including cameras, baby monitors, smart bulbs/sockets, control systems, etc... And of course printers. Now printers are most desirable because, in addition to the above, they meet the following criteria:
1. Relatively powerful processor/architecture
2. Large amount of RAM and on board storage space for more comprehensive hacking tools
3. Ability to automatically send pdf copies of all print jobs and scanned documents via daily email to hacker
The average hack takes three hours to complete and is not detected for 260 days. How would you determine if a printer on one of your networks was hacked? What would you do about it if you did discover a hacked printer?
Networked printers can be a hacker's long-term gateway into an entire business or private residence. Printers typically receive, process, store and print extensive sensitive data, from intellectual property to personally identifiable information (PII) and protected health information (PHI). Accordingly, they present a golden opportunity for attackers to commit long term data breaches, achieve financial gain or bring about reputational damage.
Many attackers use malware in the form of automated printer attack tools or other methods to compromise printers through network connections. Once a hacker succeeds, that breach can be leveraged for many purposes. The most common aims are gaining unauthorized access to any information being sent to that printer, and using the printer as a starting point to infiltrate other systems.
Given these risks, we should take stock of printer-related concerns and develop a realistic plan to address them.
For more information of securing printers and other IoT devices, feel free to contact me or my team members at FIREFX.