Printer Vulnerabilities Leave Companies at Risk

Today’s multifunction printers do a lot more than just print. They now offer a slew of capabilities—from fax to email and wireless networking—and each new function adds another opportunity for adversaries to exploit or for data to be inadvertently lost.

Research shows that printers are likely a common source of data loss among companies. A 2017 survey of 200 U.S. and European companies showed that more than half had experienced data loss incidents in the previous year linked to printers.[1]

Causes of printer-related data loss among survey respondents:

1. Digitally intercepted print jobs (50 percent)
2. Data lost from printer hard disks (48 percent)
3. Documents mailed to external sources via printers (44 percent)
4. Printers hacked to gain network access (18 percent)

Among known malicious incidents, attackers have shown a preference for targeting the physical capabilities of printers—either disabling them or hijacking their printing functions. Here are some of the ways that printer attacks have been used in recent years.

Causing Confusion: Attacks on banks often target printers as a way to reduce the situational awareness of the victims. Criminals have disabled printers that confirm SWIFT network transfers during attacks on numerous Indian banks.[2]

Held for Ransom: Ransomware known as Mamba, or HDDCryptor, can shut down printers by spreading across network shares via Server Message Block.

Vandalism: In 2016, an internet troll caused printers worldwide to print an anti-Semitic flyer by sending a PostScript file to exposed Port 9100s.[3]

Vigilantism: In 2017, hacker "Stackoverflowin" created an automated script that finds exposed printer ports and sends a print job to the machine that warns users of its vulnerability.

Unauthorized Data Recovery: For years, researchers have been able to recover stored copies of printed documents from used printers.[4] In 2010, a CBS News investigative reporter bought four printers for about $300 each and was able to recover pay stubs, domestic violence complaints, building design plans, and more. In 2013, the Department of Health and Human Services fined one company $1.2 million for HIPAA violations for failing to erase healthcare records saved on a printer that it had leased. [5]

Security researchers have been drawn to experiment on modern multifunction printers. In the process, they have uncovered a number of vulnerabilities:

Remote Code Execution and Lateral Movement: Telephone lines represent a weak point in most endpoint security solutions. In 2018, Check Point unveiled ‘Faxploit’—a method to run arbitrary remote code on a multifunctional printer via the telephone lines it uses to fax.[6] They demonstrated how that code could be used to deliver a secondary exploit and move laterally through the network. This method is useful for bypassing firewalls or establishing a beachhead on the unmonitored printer from which data can be exfiltrated.

Air-Gap Hopping: In 2015, Red Balloon Security demonstrated that circuit signals emitted by a wireless laser printer can be modified to transmit radio signals by installing malware on the device.[7] Dubbed the "funtenna hack" by researchers, this tactic may potentially allow threat actors equipped with a software-defined radio receiver and an AM radio antenna to intercept the signals.

Data Theft, Denial of Service, Remote Code Execution, Privilege Escalation: In 2017, German researchers unveiled their printer exploitation toolkit (PRET), a proof-of-concept utility for attacking network printers. The tool allowed them to compromise potentially sensitive information from a wide variety of devices and force devices into an infinite loop denial-of-service attack, escalate privileges, or remotely execute code.

Causing Physical Damage: In 2011, Columbia University researchers claimed to have discovered a vulnerability in one brand of printers that allowed them to remotely install malicious firmware during printing. In one case, this vulnerability was used to cause a heating apparatus inside the printer to overheat until it began smoking. A thermal switch caused the printer to turn off before it could catch fire.[8]

Cyber4Sight foresees several potential new attack types involving printers. Some may mirror recent Internet of Things (IoT) attacks that have compromised internet-connected devices at scale. Others may exploit the large number of functions that are available in these devices to wreak havoc in corporate environments.

Cryptomining: As ransomware decreases and cryptocurrency miners rise in popularity,[9] someone will likely attempt to infect the massive numbers of insecure web-connected printers to mine cryptocurrency.

Document Theft: Adversaries could devise new data-stealing botnets that specifically target insecure printers. Such attacks might insert malware onto printers that either exfiltrate all print jobs or only ones containing certain words or patterns (e.g., Social Security numbers). Such attacks would be of interest to criminals and state-linked actors alike.

Initial Network Point of Entry: Adversaries could exploit printers as points of entry before moving laterally within networks, enabling all manner of actions once inside, from data theft to destruction.

Document Modification: Adversaries could modify the content of documents as they’re being printed. If a shipping label printer were attacked, for example, merchandise could be rerouted to new mailing addresses, enabling theft.

Email Attacks: Fraudulent email messages posing as documents sent from printers are already commonplace, but attackers could improve on their methods by using multifunctional printers to send fraudulent messages via legitimate, internal email accounts. This type of attack could include distributing malware as document attachments or even business email compromise (BEC) fraud.

In a broader sense, the modern printer is yet another example of the growing ubiquity of IoT devices in corporate and personal environments, and the baseline of threats that come along with it. Being aware of the potential security risks to multifunctional printers is the first step in creating a more secure corporate environment.

[1] " Print security: An imperative in the IoT era," Quocira, January 2017, accessed June 29, 2018, https://www.ysoft.com/getattachment/fbbaf885-6427-4210-88c5-dc147d7d5230/Quocirca-Print-Security-Report-2017.aspx.

[2] Sudarshan Varadhan, "India bank hack 'similar' to $81 million Bangladesh central bank heist," Reuters, 19 February 2018, accessed 6 March 2018, hxxps://www.reuters.com/article/us-city-union-bank-swift/india-bank-hack-similar-to-81-million-bangladesh-central-bank-heist-idUSKCN1G319K

[3] " Thousands of Printers "Hacked" to Spew Anti-Semitic Flyers," SecurityWeek, March 29, 2016, accessed June 29, 2018, https://www.securityweek.com/thousands-printers-hacked-spew-anti-semitic-fliers

[4] "Digital Photocopiers Loaded With Secrets," CBS News, April 19, 2010, accessed June 29, 2018, https://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/

[5] "Photocopier Error Costs $1.2 Million in HIPAA Breach Fines," HIPPA Journal, April 25, 2013, accessed August 15, 2018, https://www.hipaajournal.com/photocopier-error-costs-1-2-million-hipaa-breach-fines/.

[6] Eyal Itkin and Yaniv Balmas, "Faxploit: Sending Fax Back to the Dark Ages," Check Point, August 12, 2018, accessed August 14, 2018, https://research.checkpoint.com/sending-fax-back-to-the-dark-ages; " Faxploit: Breaking the Unthinkable," Check Point, August 12, 2018, accessed August 14, 2018, https://blog.checkpoint.com/2018/08/12/faxploit-hp-printer-fax-exploit/#qa.

[7] Sean Gallagher, "“Funtenna” software hack turns a laser printer into a covert radio," Ars Technica, August 6, 2015, accessed August 20, 2018, https://arstechnica.com/information-technology/2015/08/funtenna-8oftware-hack-turns-a-laser-printer-into-a-covert-radio/.

[8] Kim Zetter, "HACKERS CAN REMOTELY SET ABLAZE HP PRINTERS, RESEARCHERS SAY," Wired, November 29, 2011, accessed June 29, 2018, https://www.wired.com/2011/11/hp-printer-hack/.

[9] Kaspersky Lab, "Ransomware and malicious crypto miners in 2016-2018," SecureList, June 27, 2018, accessed June 29, 2018, https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/