Cloud Printers Rain On Security Parade
The modern office printer is a machine of many talents. It can print, copy, and scan your most important documents in a flash. Connect it to the Internet, and it can do all those things and more from any device, anywhere, thanks to the advent of printer apps and nascent cloud computing services like Google Cloud Print or HP’s ePrint. But that same connectivity has made these devices a prime target for hackers seeking easy access to your office.
Robert Lemos over at the MIT Technology Review recently spoke to security consultant Deral Heiland about the security risks posed by modern printers. In the course of network penetration testing, Heiland developed “Praeda”, a simple program that seeks out network vulnerabilities exposed by unsecure printers running Web servers with default passwords--or worse, no password protection at all.
This weekend Heiland will demo Praeda and present a few of the most common printer security exploits at the seventh annual ShmooCon, a hacker convention in Washington, D.C. that promotes open discussion of information security.
After testing multiple Web-connected printers this year, we’re expecting these cloud computing devices to be a serious security issue, and we’re not alone; zScaler Labs’ V.P. of Security Research Michael Sutton published a lengthy blog post last year that exposed the simplicity with which a hacker could purloin copies of potentially dangerous documents left on the scanner of unsecured HP all-in-one printers.
Once again, the exploit involves ferreting out unsecured Web-connected printers with simple Google search strings like “Estimated Ink Levels” and “HP PhotoSmart” and taking advantage of poor password security to remotely subvert a printer and scan documents using HP’s WebScan feature.
Ultimately, the real problem exists between the chair and the keyboard: It’s perfectly safe to launch your printers into the cloud, just make sure to take the same security precautions with a Web-connected printer as you would with any other remotely-accessible repository of personal data. Disable remote access features unless absolutely necessary, change your password on a regular basis and never leave sensitive data (business or personal) in memory or on the scanner tray.