Locking down the remote printer

Sponsored Feature As businesses journey deeper into an era of restless digital change, it's surprising how inventions from past decades still define the office environment.

Today, as in the 1990s, the main work device is still likely to be a desktop PC or laptop, while local applications such as Microsoft 365 remain a fact of life. And then there's the workgroup laser printer, a mainstay which almost single-handedly killed the notion that offices were destined to become paperless utopias.

Another lingering perception is the assumption that printers are benign servants that can do us no harm.  This is despite printers being fully featured computers which run their own internal OS, RAM, storage, and network connectivity, and present an attack surface big enough to make the device and its documents an obvious target for compromise.

Meanwhile printers have acquired new capabilities over the years such as scanning, advanced document storage, and remote management interfaces that let admins connect to them via a surprisingly long list of protocols.

Evidence that the same admins understand the risks arising from printers tends to be inconclusive. According to the Quocirca Print Security Landscape 2022 report, printer security is still some way down the worry list of most IT decision makers behind hybrid application platforms, email, public networks, and traditional endpoints. This is despite 68 percent admitting they'd suffered some form of printer-related data loss.

However, the risk perception rose slightly when asking about printers used by employees while working from home, an issue mentioned by 67 percent of respondents. In theory, organizations could stop using printers to mitigate this risk, except that 64 percent say printers and printing remains "critical or very important" for their business.

Spewing ASCII

If the risks posed by printers are, belatedly, being reassessed in some organizations, it's pranking not hacking that has helped to move the dial. Pranking is an invaluable and often misunderstood type of stunt hacking because, unlike malicious compromise, it doesn't try to hide its actions. On the contrary, the whole point is that everyone can see the weakness that's being exploited.

There has been a steady stream of printer pranking over the years. The 2017 Stackoverflowin attack in which 160,000 printers around the world were made to print out ASCII text, was a situationist jape which targeted exposed IPP ports. A year on and a similar attack caused 50,000 printers to print support for vlogger PewDiePie, the perpetrator of which made the plausible claim that an attacker able to print to a device remotely might also be able to capture or modify legitimate print jobs while they were at it.

People laughed at these incidents, but what makes them significant is that they showed that organizations were not paying enough attention to printer security any more than they were to securing that other unmanaged device problem, the Internet of Things (IoT). Indeed, it's illuminating to think of printers as a close relative to office IoT. As with IoT devices, they perform one specialized job, to print or scan on demand, beyond which it is tempting to dismiss them as dumb terminals, even inside organizations that set out to make security a priority.

"People simply aren't aware what might be exposed in these devices or what threats might target them," agrees Ellis Banton-Place, technical product development manager for Brother International Europe. "But working from home has pushed IT administrators to think about the risks in a more holistic way. Suddenly, people have a need to print at home, at which point it's natural that administrators question whether that device is secure."

Adding to the re-evaluation caused by home working is the growing influence of zero trust. This has caused IT departments to finally question assumptions about printers, which to many organizations are still like inscrutable black boxes. Now security is more likely to be on that list than it would have been before the pandemic, Banton-Place agrees.

"Manufacturers understand these risks which is why mitigation is built in as standard these days regardless of whether it's a home or office printer. Out of the box, it should be secure by design. The job of manufacturers, then, is to educate decision makers on what this amounts to in practical terms," he says.

"Printer security is about understanding the threats to the network traffic, to the device itself and to the documents it prints. Every security feature you'll find in secure printers will address one of these categories of risk," he adds before going on to list a range of printer security issues. These include:

Document security

Data security in printers is about securing the printer itself as well as the process by which printing happens. It sounds simple enough but turns out to involve several elements where risk can creep in. Adding to this is the fact that these gaps are often not easy to see, assuming anyone is even looking for them.

According to Banton-Place, organizations are usually aware of the need for document security, which doesn't mean it's always as tightly controlled as it should be. An employee inadvertently sends a print or scan job to the wrong printer, or to the correct one but forgets to pick it up in either case. In some instances, this type of mistake might constitute a data or compliance breach.

"Document protection is probably the first issue organizations pay close attention to." This concern is usually driven as much by internal confidentiality as worry about a breach. Beyond that, printing should be segmented by department to reduce the risk of a job being sent to the wrong part of the company.

One solution to this is some form of secure print release (watch a video here which explains the process), usually using a PIN code or a smart card, with authentication connected to Windows Active Directory.

But it doesn't end there. Scanned documents can also be protected and the contents of a print job made unreadable using encryption (find out how by watching this video on secure network printing). When a printer is finally disposed of, organizations need to ensure that any internal storage such as HDDs have been cleansed of stored data.

Legacy hardware

Next comes the security of the device itself. Printer life expectancy is longer than for endpoints such as PCs, servers, or laptops, with many still in use after a decade or more. In short, they hang around. The first issue this raises is that the security design of older devices won't be as good as more recent ones by default, for example older devices typically allow default passwords to access their management interface.  Even when this isn't the case, there's a good chance the firmware either wasn't updated, or those updates ceased years ago. 

A responsible printer manufacturer should support and update a printer for as long as it's likely to be used and not simply until it is no longer on sale, Banton-Place says. When that's not the case, organizations should either look to replace it with new secure by design hardware, or mitigate the risk from an obsolete device by locking down access or ensuring no valuable data is retained on it.

Admin and print traffic security

The printer configuration interface is another potential weakness. Using a strong password goes without saying but other issues to look for include turning off services that aren't being used (printers have to support a bewildering array of these, including Wi-Fi Direct for example) while ensuring that all traffic to the printer is protected end-to-end using, say, IPP over HTTPS.

Does your printer need remote configuration? This creates another risk if it's turned on and forgotten about Disabling unnecessary interfaces and protocols like WiFi if it duplicates network connectivity with Ethernet can reduce the attack surface for example, while remote access can be better protected using strong passwords and encrypted connections (watch a video explaining the process here)

Hybrid working

Every known risk is multiplied when employees work from home. In some cases, these printers won't be remotely managed, which makes their security state much harder to assess.  This is not advisable, says Banton-Place.

"Increasingly, organizations are allowing employees to choose their own devices, whether approved from a whitelist or worst case simply BYOD," he explains. "For this reason, remote administration is always a good idea."

For example, Brother offers a range of print solutions covering workers at home and in the office, including Managed Print Services (MPS), which include remote support, consumables management, detailed performance and usage reports, and necessary security configuration.

A final barrier to hybrid working can be the capabilities of the sort of devices specified for home use. In many cases, advanced security features will only be available with larger copier-level printers designed for office use inside the network.

"Customers are now asking for sophisticated features such as scan encryption in modest home printers and Brother has had to increase the features on these devices," observes Banton-Place. The company's devices now support secure connections to common online platforms, such as OneDrive and SharePoint, that can printed from and scanned to at home.

Print paths

This is the big takeaway from speaking to Banton-Place – today's printers come with the security features to close security gaps, including for the deskside devices users are now acquiring for remote working. It is possible to lock down the printer attack surface without that becoming a chore by following the same rules that would apply to any other network server or device.

Admins should be able to monitor who is using a printer, when it is being used, and integrate user authentication as part of Active Directory. They also have the option to use the Brother Solutions Interface (BSI) to develop software tools which can print or scan directly into external MPS, document management/imaging workflows, cloud platforms or other third-party applications or services. In many departments, asking users receiving print output to authenticate themselves should be the default. The same applies to end-to-end print encryption. The latter takes some setting up – print paths can be complex across multiple sites and the data center – but is worth the setup time in the end.

For decades, printer management was all about running costs, print performance, and document confidentiality at the expense of underlying device and data security. In a way, this relegated printers and printing security to the status of a secondary issue.

"Printers used to be a blind spot, but this is changing. Printer security is now a grown-up conversation," concludes Banton-Place.

Sponsored by Brother.