Article highlights need for increased awareness of printer security threats.
An article on the Guardian website suggests that printers are under threat from direct attacks, in spite of a common perception that firmware updates are a sufficient defence.
While companies have taken measures to protect their printers against attacks, such as HP which issued “more than 56” firmware updates after two academics publicly hacked into a HP laser jet printer “using freely available information and a budget of $2,000 (€1,600)”, a wide-area scan of HP laser jet printers on the internet conducted by researchers Stolfo and Cui indicated that just one to two percent of them had received these updates, with one in four still using the default password settings and some still using firmware from 1992.
Stolfo commented on their findings: “We have demonstrated not only that the firmware update function of certain printers is faulty, but that there are still a number of known vulnerabilities in the real-time operating systems [such as Linux] used in a large number of printer models.”
It was also found that, although it is often thought that the variety of printer firmware may put hackers off, “in reality […] many printers are actually built with similar general-purpose real-time operating systems and using the same stock components”.
Stolfo went on to emphasise that it is lack of awareness that makes the problem worse, with Ari Takanen, Founder and Chief Technical Officer of Codenomicon, a Finnish company that tests the robustness of printers, agreeing with this view.
“Few people realise that a lot of devices they have in their home don’t have the firewalls and anti-viral software they have come to expect from their PC and can compromise the networks they are on due to the vulnerabilities in their firmware.” Takenen commented, adding that such vulnerabilities “are made worse by out-of-date code, because people don’t treat their printer like a PC and update it regularly.”
Eeva Starck, a security analyst at Codenomicon explained that the problem is worsened by the increasing trend of printing from the cloud, with sending and receiving emails via printers meaning they are more liable to be attacked: “Files that get sent to the printers get cached before printing, and sometimes emailed forward. So if someone got in between these connections then they could cause the printer to crash, leak out confidential data and even put at risk the LAN [local area network] they are a part of.”
Start-up businesses are particularly at risk, says Starck, as they may not have the money to invest in security, but still handle confidential information.
Although Takenen is reportedly “pessimistic” about the chances of companies improving upon printer security, Stolfo believes that there could be a “massive new market” for the printer industry in that new products can and are being developed.