FAMILIARITY BREEDS BLIND SPOTS. Most people barely notice the ferns and the “hang in there” kitten posters scattered around them. Unfortunately, hackers find the equally familiar—and therefore easily overlooked—networked printers in most offices all too visible targets.
“Printers are often the forgotten stepchildren of IT,” says Brent Huston, CEO of MicroSolved Inc., an information security boutique in Columbus, Ohio. “They’re just seen as boxes that spit out paper.”
One of Huston’s customers certainly had that opinion, right up until someone hacked their check-writing printer. Cybercriminals intercepted files in the device’s cache and changed the payees and addresses. As nobody verified the checks after each print job, the company ended up mailing checks to hackers.
“Any device on the network is vulnerable and a potential entry point for hackers,” says Keith Kmetz, IDC program vice president for imaging, printing, and document solutions. “It may not be harder to secure printers than PCs, laptops, and servers, but most neglect to address these devices.”
What’s more, Kmetz adds, a substantial number of components in a modern printer are susceptible to hackers. Most have internal storage and memory, for example, and can act as a server for browser-based administration tools. Yet few have any real protection features right out of the box.
Some printers offer configuration options that administrators can use to help compensate for those vulnerabilities. Enterprise-class devices, in particular, tend to include automated hardening functionality not typically found in consumer models. According to Kmetz, some vendors do a better job of adding protection measures than others.
“HP has lots of information available on security for their printers,” he says, and Xerox uses third-party tools like McAfee’s Embedded Control to harden its products. “Certain devices have more comprehensive security services available, such as optional automatic hard drive overwrite kits,” Kmetz adds, “but you must take advantage of these security features and not ignore the printer after installation.”
Kmetz suggests asking printer vendors about their specific product defenses and taking the configuration steps necessary to enable them. Both Kmetz and Huston also recommend updating software and firmware on new printers, changing the default passwords, turning on encryption, performing penetration tests, and repeating those processes each quarter. Huston estimates that less than 5 percent of the printers his team encounters at new clients have been protected in those ways.
None of those tasks is extraordinarily tricky; they just tend to get overlooked, Kmetz notes—by everyone but the bad guys.
“Printers have a number of entry points, and all a hacker is looking for is one unguarded opening,” he says.