Study Raises New Concerns Over the Security of Network Printers
Printers remain one of the most essential devices for daily work in spite of a push for paperless offices. That being said, just how secure are they? According to a new report, titled “SoK: Exploiting Network Printers,” confidence isn’t so high.
In their analysis of printer security, authors Jens Müller, Vladislav Mladenov and Juraj Somorovsky, all academics from Germany’s Horst Görtz Institute for IT-Security, Ruhr University Bochum, evaluated 20 printer models from different vendors—including HP, Brother, Dell, Samsung and Konica. Using their own custom-written tool called Printer Exploitation Toolkit (PRET), they found all models “to be vulnerable to at least one of the tested attacks.”
Specifically, the research team used PRET to hit the printers with a range of local, network and internet-based attacks on PostScript and Printer Job Language (PJL), two common software interfaces. The team proved that an attacker could gain access to a printer’s NVRAM (non-volatile memory) and intercept sensitive documents, passwords, etc.
As indicated in the chart below, attack methods covered denial of service (making printers go offline or into a programming loop); protection bypass (resetting to factory defaults); print job manipulation (interfering with what is printed); and information disclosure (accessing document content). While some of the bugs were new, others have been an issue for more than a decade. The problem, of course, being that many vendors failed to patch the bugs.
Researchers also took a look at adjacent services like Google Cloud Print, technology that allows users to print documents from anywhere—including phones—to any printer. They learned that these services, too, were vulnerable to attacks.
The team disclosed their findings to all print manufacturers and administrators responsible for vulnerable interpreter processing websites. Of those companies, Google rewarded their work with a payment of $3,133.70.
In this case, silence speaks volumes.