Your Printer Could Be a Security Sore Spot

Your network printer or copier can be a serious security liability. After all, these machines often handle sensitive documents and information, and they could provide an access route to other computers on the network--so you don't want a hacker to get at yours. It's time to take printer security seriously.

Simpler printers, like the ones in many home offices, usually lack internal storage and features such as a Web interface, so they usually have fewer security vulnerabilities. But more-advanced business-class multifunction printers and copiers are subject to a greater number of threats, since they are basically computers with their own hard drive, operating system, and direct network connection.

In this article, I'll discuss printer security issues and how to combat them. You may find these tips helpful whether you want to secure your existing equipment or plan to buy new or replacement printers.

Printer Threats

Printers face five main threats and vulnerabilities:

Document theft or snooping: A person can simply walk over to a printer and pick up a document that belongs to someone else.

Unauthorized changes to settings: If your printer settings and controls aren't secure, someone may mistakenly or intentionally alter and reroute print jobs, open saved copies of documents, or reset the printer to its factory defaults, thereby wiping out all of your settings.

Saved copies on the internal storage: If your printer has an internal drive, it can store print jobs, scans, copies, and faxes. If someone steals the printer, or if you throw it out before properly erasing the data, someone might recover the saved documents.

Eavesdropping on network printer traffic: Hackers can eavesdrop on the traffic on your network, and capture documents that you send from your computers to the printer.

Printer hacking via the network or Internet: A person on your network can hack into a network-connected printer fairly easily, especially if it's an older model that lacks newer security features or isn't password-protected.

Attacks from inside your network are only half of the problem, however. If your printer is accessible via the Internet, the field of potential hackers becomes virtually limitless. Attackers could send bizarre print jobs to it, use the printer to transmit faxes, change its LCD readout, change its settings, launch denial-of-service (DoS) attacks to lock it up, or retrieve saved copies of documents. They might even install malware on the printer itself to control it remotely or to gain access to it.

Physical Security for Your Printers

Place your printers in an open area to discourage employees and others from fooling with their settings.

Increasing the physical security of your printers can help prevent document theft or snooping, unauthorized access to stored documents, and misuse of the printer's ethernet or USB connections. Place printers strategically to balance ease of access and security. Putting them in a somewhat visible open area that is accessible to most the users may be a better idea than sticking them in a separate room or office where you can't monitor them as closely. In any case, consider designating separate printers for management and other sensitive departments and keep those machines secure from other employees.

Also consider buying printers that require users to provide some form of identification (such as a PIN) before it prints.

And don't neglect hard copies of documents. Shred sensitive papers when you no longer need them.

Password-Protecting Your Printers

If you have a business- or enterprise-class printer, it probably has an administrator control panel of some sort that you can access through a Web browser, a screen on the printer itself, or your PC's command line. Most such printers will let you password-protect the control panel to prevent others from changing settings without your knowledge. Refer to your printer's documentation to learn how to do this.

Securing Printer Admin Traffic on the Network

A password alone won't stop a determined hacker. The admin password may not be encrypted when you send it from your computer to the printer, which means that someone could intercept it and gain access to your printer's controls.

To avoid this, use an encrypted connection when you access the admin control panel, if your printer or print server supports it. For instance, when accessing the interface via a Web browser, use an "https://" address (which uses SSL encryption) instead of a regular "http://" connection. If you need command-line access, use encrypted SSH instead of clear-text Telnet sessions. If your printer came with a printer management application, see whether it supports encrypted connections.

For additional help in combating hacking, check your printer for ACL (Access Control List) support or for some other feature that lets you define who can use or administer it. Be careful not to open your printer's Web interface (or any other admin interface) to the Internet, to prevent people on the Internet from finding and trying to hack your printer. Your network firewall should provide enough protection and this shouldn't be an issue unless you explicitly configure it to open access to your printer. If your printer supports Internet Printing Protocol (IPP), FTP print jobs, or any other feature that lets people send it print jobs over the Internet, consider disabling the feature if you don't use it.

If your printer or print server uses SNMP (a protocol for managing and monitoring devices on networks) to communicate (as HP's JetDirect products, for example, do), try changing the default SNMP community names to a strong password to help frustrate would-be password capturing, cracking, and additional hacking. And whenever possible, use SNMPv3, a newer version of SNMP that includes authentication and encryption for added security.

Securing Printer User Traffic on the Network

To prevent users on the network from intercepting print jobs as they go to the printer, find out whether your printer or print server supports encrypted connections to and from the PCs on your network. Some printers do use SSL/TLS, IPsec, and other encryption methods.

Check your printer's documentation and consult the vendor about whether your current equipment supports encryption or if you can purchase additional hardware or software to add such support.

Updating and Upgrading Your Printers

Make sure that you keep your printer's firmware and drivers up-to-date. Often, updates add new or improved security features, patch known security holes, and fix other problems.

Discarding an Old Printer

Before disposing of an old or broken printer, make sure that its internal hard drive (if it has one) isn't saving any documents. Check your printer's documentation or speak to its manufacturer to determine whether it has a drive--and if it does, to learn how to erase the data. If the you can easily remove the drive, you may be able to connect it to a PC and erase the data with special drive wiping programs that make the data completely unrecoverable.

Further Network Security

Keeping your printers secure is about location, password protection, encryption, and updating. But general network security is just as important. For a discussion of that subject, see "Lock Down Your Wi-Fi Network: 8 Tips for Small Businesses."

Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity, which helps businesses protect their Wi-Fi with enterprise (802.1X) security, and On Spot Techs, which provides on-site computer services.

Subscribe to the Security Watch Newsletter

Comments