It’s tempting to think of printers, like Wi-Fi routers, as being purely utilitarian devices. After all, they have existed in one form or another for at least half a century and perform a relatively simple task--printing documents. Even so, printers--also like Wi-Fi routers--can actually pose some significant threats to your organization’s security.
Consider, for example, some of the printer related exploits that have occurred over the last several years.
One of the tamer examples is an attack in which printers were used as a spamming tool. In 2018, according to Kaspersky, a hacker discovered 800,000 exploitable printers and printed an advertisement on 50,000 of the devices.
A more harmful incident occurred back in 2010, when CBS News purchased some used digital copiers that had previously been leased by Affinity Health Plan. Upon acquiring the machines, CBS began extracting data from the devices’ hard drives. This resulted in an estimated 344,579 people having their personal data exposed, and landed Affinity Health Plan a $1.2 million fine.
More recently, printers and multifunction devices have been involved in malware attacks. In one such attack, a hacker spoofed a multifunction device and sent users emails containing what they believed to be PDF files from documents that they had scanned on the device. However, these files were actually ransomware masquerading as PDF files. There have also been unconfirmed reports of hackers compromising printers, and then using the printer to spread malware to other devices on the network.
While all of these incidents are vastly different from one another, they all clearly point to the need for taking printer security seriously. Fortunately, there are several things that you can do to keep your printer from becoming a weak spot in your network’s security. It is worth noting, however, that each printer has its own unique features and capabilities, so not every technique is applicable to every printer.
When it comes to printer security, the first thing that I recommend doing is to check your printer’s defaults. Make sure that the device is not using a default password and that any security-related settings on the device are enabled. I also recommend making sure that the latest firmware is installed on all of your printers.
Another thing that you may be able to do is to configure your printers in a way that prevents users from being able to access them directly. Rather than mapping desktop operating systems directly to the printer, route all printing traffic through a Windows print server. This gives you the opportunity to create an isolated network segment between the print device and the print server.
The main advantage to having printers on isolated network segments (even if those segments are virtual) is that it makes it a lot tougher for a hacker to steal data en route to the printer. It also becomes more difficult for a hacker to compromise a printer if the printer is not directly accessible from the user network.
Another thing that you can do is to check to see if your printer supports the use of encrypted protocols. Not every printer supports encrypted communications, but such capabilities are becoming more common. If your printer does support the use of encrypted protocols, then be sure to disable (and block at the firewall level) any non-encrypted protocols.
Device drivers on end user devices are another consideration when it comes to printer security. There are a few different schools of thought regarding device drivers.
First, some multifunction devices have separate device drivers for each device function. For instance, there may be one driver for printing and another driver for scanning. If there are certain capabilities that your users do not use (such as faxing), it might make sense not to install that particular device driver. (After all, a hacker cannot exploit a driver that has not been installed.)
Another consideration with regard to device drivers is what type of functionality your users ultimately require. If your users need access to all of the printers features, or if they do work that requires optimum print quality, then you will obviously need to install the manufacturers’ print drivers. If you do choose to use the manufacturer’s drivers, then be sure to update those drivers regularly as a part of your patch management strategy.
If, on the other hand, your users print only the occasional email message or Word document, you may be able to get away with using one of the generic device drivers that is built into the operating system. These generic device drivers may be more secure than the drivers provided by the manufacturer because some manufacturers have designed their drivers to collect usage data from end users.
Finally, use access control lists as a means of controlling who can print to your printers. Even if everyone in the office needs access to a particular printer, you should still use access control lists. When properly implemented, access controls can block anonymous access to network printers.