Security Hazards Of The IoT: Your Printer Is A Vulnerability Minefield

What can you do to secure your printers and network?

Thankfully, remediation is not significantly different from securing other aspects of your network and other endpoint devices.

The first, and simplest, line of defense is to change default settings. Change any default passwords or set administrative passwords if it has none. Lock down wireless access if it is not needed. Disable insecure services such as FTP and Telnet if you don’t plan to use them. If you do plan to utilize them, consider working with a more secure alternative and then disable them.


Second, update the printer's firmware. Firmware encompasses much more than the device’s functionality. Many malware packages use tricks such as buffer overflows to bypass traditional safeguards. Often firmware is released exclusively to patch a security holes such as these. Your printer can only begin to be secure if its software is up to date.

Third, establish a permission control system. Ensure your users, whether they're in the office or home, only have access to print functions they need to accomplish their job. Much of this mirrors the first step, however, many organizations have groups of users who require special access. Depending on the printer and network environment, this may be handled at the printer or domain level.

So that’s it?

Well, no. Security is always advancing and hackers are consistently finding new ways in. It is foolish to assume that your organization will never be breached. A proper security plan needs to incorporate recovery routes. Recovery starts the moment an intrusion is detected.


Detection - there’s tricky business. Can you say with certainty that your printers have not been breached? How do you know? Sure, you probably have software monitoring your servers and computers, but what about your printers? According to Michael Howard of HP, very few of you can honestly say you would know and have a plan in place. His sobering talk is here... 


His emphasis is on maintaining accountability. Know what printers are on your network, know who is printing to them, and know when and what they are printing. Secure the device, secure the data, and secure the document.

For example, HP enables admins to secure their printers in four key areas. First, a feature called Sure Start verifies the device BIOS on boot to keep it free of corruptions. Second, HP printers employ whitelisting to control what changes can be made to the system’s firmware. Third, they monitor the printer’s memory for run-time intrusions and trigger a reboot if malicious activity is detected. Finally, they offer JetAdvantage Security Manager to centrally control, configure, and secure all printers on the network automatically.


Unfortunately, HP only offers these solutions on enterprise class products. Smaller businesses using even their Pro line of printers are still reliant on manual intervention and configuration. HP claims the obstacle is primarily cost here. If they really want to move beyond simply raising security awareness, they need to offer their solutions at all levels of business operations. The mom and pop store down the street is probably going to employ the cheapest model printer available that meets their print needs. They likely do not have an on staff IT person, so why not just ship a secure printer?

Well, according to HP anyway, it isn’t that simple. Security is a balancing act that seeks to find the line between meeting business demands and not exposing too much. A perfectly secure printer could not be used by anyone. Perfect security = a bricked device.


At the other end of the spectrum, printers have to maintain backwards compatibility. For better or worse, business operations can be slow to adapt to newer standards. Printers need to work out of the box for users not savvy enough to dive into the settings and configure them.

Personally, we do not see why this cannot be addressed by a more indepth setup wizard on first boot. Language? WiFi? Telnet? FTP? Alternatively, disable these options out of the box (instead of enabling them) and if a company has legacy systems that rely on them without IT professionals to make the configurations, then those companies can be the ones to pay for extra support. We really cannot afford to continue hampering security moving forward for the sake of a few hold outs. Yes, it will generate more support calls for a time, but the Internet will be safer in the long run.

One last thing...

We would like to touch on a topic that was brought up during our meeting with HP and we want to lay down a little more pressure on them: bug bounty programs. For the record, and to be candid, HP is investigating the implementation of one but we were not convinced of their enthusiasm. For the uninitiated, bug bounty programs are setup by tech companies to reward ethical disclosures of security flaws in their products. There is typically a process by which these flaws are confidentially reported, a patch is created, and a cash prize goes to the researcher.

The counter argument to establishing a bug-bounty program is that it creates a target on your systems for thousands of outsiders to pick over with a fine tooth comb. We can see how that could be nerve-wracking and somewhat resource intensive for a company, but honestly that's a poor excuse.


A company of HP’s size already has tens of thousands of attacks on their system per day from malicious entities. The “bad guys” are already exploiting your products for their own profit. Implementing a bug bounty program does not change that fact. It does, however, bring in the “good guys” as well. We don’t care how good your internal development team is, your products are not perfect and more eyes are better. Incentivize ethical hackers, or they will help your competition who is smart enough to leverage their assistance.

There is another element to the bug bounty process as well. As a systems administrator looking for a new device, a bug bounty program signals that you have confidence in your own product. Conversely, if you are hesitant to enact a bug bounty program, maybe I need to stay away from your products because you seem to be hiding vulnerabilities. I’m not going to bet my security dollars on your product if you do not stand behind it with more than measured marketing claims.

In conclusion…

 
Regardless, it is good to see HP at least taking the initiative to tackle print security and have an open forum discussion about it. Printers need to be handled every bit as seriously as other endpoints within an organization, perhaps even more-so than most with the valuable, often confidential or proprietary data they’re working with. We also hope to see similar innovations and efforts from other players in the print industry. We cannot let print security be a closed discussion.

What issues or ideas do you have in mind that you would like HP and the broader tech industry to take to heart?