Limiting attack vectors and blast radius of a printer compromise
This is a hiatus from my current blog series, Security Metrics Automation, because I’ve recently had a printer bite the dust and have been reviewing printer security specifications. With all the frustrating things I run across in relation to security and technology and broken things lately, I was recently pleasantly surprised with a new printer I purchased. It has a feature I love which a lot of printers are advertising right now.
Printers are known to offer attackers particularly damaging security gaps as I wrote about in my book, Cybersecurity for Executives in the Age of Cloud. They generally need to connect to the Internet to get software updates. They also need to be accessible from every device on your network that needs to print. On many home networks they are connected to a wi-fi network with all other Internet of Insecure Things. Printers often operate using spammy or backwards network protocols that require punching unwanted holes in firewalls.
I had concerns about some services running on my existing printer and usually just unplug it when not in use because I couldn’t find a way to turn them off. I also wasn’t too sure it was getting all the firmware updates, but I rarely use it. Mostly it’s disconnected from my network. But it’s kind of a pain to unplug and plug back in the printer just because I don’t have time to deal with it. I’d rather just get something more secure.
As it turns out, I turned it off for so long the ink clogged. The heads or something. I’m not a hardware person. Although I might be able to fix it based on some Youtube videos I watched, a first attempt failed miserably and black ink started dripping from the machine so I scratched that idea. It’s pretty old, was cheap to begin with, and it’s time for an upgrade anyway.
The most secure printer guarantee — but which models?
When I started looking at printers I wanted better security than my existing printer provided so I started looking at options. One particular brand advertises a guarantee that they have “the most secure printers.” That caught my eye because security is definitely one of my primary decision factors. Of course I want the most secure printer! But what does that mean exactly?
Unfortunately, when you look into the fine print you’ll have to buy the model that costs about $750 to get that guarantee as far as I can tell. That’s a little steep for the amount of printing I require. I’m willing to pay a bit more but with tax we’re approaching $1000 and it’s a very large device.
If you look through all the printers and specifications from that particular brand together, you’ll see that the security specifications vary widely based on how much you spend. Some models appear to have no security specifications whatsoever. The “most secure” option has features that most likely won’t apply to a lot of small business owners like myself or people looking for a home printer.
The other odd thing is that the printer model I purchased, though I think it has a really great security feature, doesn’t mention security at all in their marketing material. For many printer vendors security isn’t even a selling point. When I reviewed reports on printer security, I found that the most popular brand was compromised more than the one that doesn’t advertise security much at all. The more popular brand had basic flaws like XSS — and some of their models run a web server on them.
A firewall on a printer? Cool! Kind of.
Some of the printers advertise they run a firewall. That sounds neat. I went to the documentation to look at what the UI of this firewall looks like. I didn’t see any option in the documentation to actually see the firewall configuration. I didn’t see any way to change the rules of the firewall or configure it. I didn’t see any screen shots of the firewall logs. Advertising a “firewall” that the customer can’t see or configure seems a bit like a stretch to me.
A firewall with poorly configured rules that lack zero-trust configurations don’t mean much. If the customer can’t block or allow specific local networks from reaching the printer then not sure how good the firewall option is. Inability to inspect the firewall traffic isn’t a very helpful firewall. Network security has a lot to do with monitoring as well as configuration. A firewall on a printer would be amazing — but not so much if you can’t configure and monitor it.
Ink deals require online monitoring by the vendor
Some models offer things like “two years free ink!” When looking into that I noticed that two years of free ink doesn’t according to their terms doesn’t do much for someone like me. For this to work, the vendor requires you to sign up for a program where they monitor your ink levels remotely and provide you ink when your printer runs low. If you don’t print a lot, two years of ink might not be worth the extra cost of that model of printer because you won’t use enough ink to make up for the difference. Additionally, I don’t particularly want to deal with that monitoring connection, though I could limit it to check periodically by opening and closing network ports (presuming the vendor doesn’t shut down the machine when it cannot connect).
The thing that bothered me more is that even if you don’t pay for the ink deal for two years it seems like they force you into this monitoring program. I can’t say for sure because I didn’t buy that particular printer, but the online reviews seemed to indicate people were being forced into registering for the program and connecting their printer to this monitoring system even if they didn’t want to join or buy the ink from them on a subscription basis.
Non-security related considerations
I read that the ink-monitoring model forces you to only buy their ink based on a chip in the ink container that the printer requires you to have. I’m not bothered by this so much as I like to get quality ink, but the other brands of printers I use offer cheaper ink from the vendor. But I read multiple reviews that said this printer would be more expensive to operate over time than others over the life of the printer. Their ink restrictions require you to buy more expensive ink. Even if you buy ink from the vendor of two models compared in one review I read, the cost of one vendor was higher than the other.
Another factor that influenced me was a lot of complaints about the touch screens on some models. Printers are a pain enough without having to deal with a hard to use touch screen. I was considering switching brands but in the end I’m glad I didn’t because the model I got has a very nice touch screen. I’m not going to publish which printer I purchased because I’m not here to sell printers, but make sure you read the detailed reviews. It will be worth your time. You may be able to go to a store to try out the touch screen.
Of course printing and scanning speed was a factor as well. I’m always in a hurry. Quality is a factor, but I don’t generally print photos. My printer works fine for my needs and can adjust to different levels of DPI for scanning. It processes a decent number of pages per minute.
Now for the best part — a new Wi-Fi Direct option
One of my favorite features of the new printer I got is the wi-fi direct option. I don’t know if all the printers that advertise this feature work the same but I was pleasantly surprised when I tried it out. It allows you to basically connect to a wi-fi router — on the printer — and printer directly to it.
Whether or not this wi-fi direct option improves security depends on a few factors.
- How did the vendor implement the feature? Can you restrict traffic only to the wi-fi direct network (i.e. an entirely private network for printing) or does your printer still have to be connected to your wi-fi network or the Internet while using wi-fi direct?
- How do you configure and use it? Do you restrict traffic to wi-fi direct or do you still connect everything on your wireless network and the Internet constantly? Do you disable protocols you’re not using? Who has access to the administrative panel to reset passwords or change the settings? Could they insert a malicious USB device? All these factors contribute to your overall printer security.
For those who don’t understand networking and security you might find this a pain in some ways and want to just connect the printer to your wi-fi and let the bonjour network traffic spam your local network. You can do that if you want. But I absolutely love this feature and the fact that I can lock it down to a printer-specific network. Here are some of the benefits:
Segregated and zero-trust printer updates: First of all, I can hardwire my printer to a port that segregates traffic from the rest of my network. That means while the printer is hard-wired it can get updates but it cannot communicate with anything else on my network, presuming I set this up correctly. When the printer is configured to use wi-fi the hard-wired connection is disabled, which at first annoyed me. But now I like it. I can lock the printer from the Internet except when I want it to go get updates, and I can monitor those updates.
Private printer network: When the printer is not getting updates, it has a wi-fi direct option where devices that need to print can switch over to that specific wi-fi connection. They can print whatever they need to print and then switch back to whatever network they were on to get to the Internet. That means that while printing, the device is not connected to the Internet and it’s also not connected to all the devices on your network all the time. The devices are only temporarily connected to the printer wi-fi as needed and it appears to be a private network. Although I get a message saying the printer is not connected to the Internet — it still works.
Shorter attack window: Finally, I sent the printer to turn off automatically after a short period of inactivity. If someone needs to print, just push the button to fire up the printer, connect to the wifi, and print. Let’s say I have a compromised device. The device has a short window to to get to the printer and compromise it. The opposite is also true. A compromised printer would have a short window to attack the device that is trying to print. In addition, only the devices actively trying to print will be connected to the printer.
Did I mention I LOVE this feature? I love this feature. Of course a persistent attacker or someone malicious on my own network might be able to figure out a way to compromise the printer, but it’s much, much harder than the way printers I’ve had in the past worked.
The caveats — if you use this in an office environment, provide training
For some it might be a pain to switch back and forth to different networks. But for me, as a security professional who understands the implications of all interconnected things when it comes to printers, I feel so much better with this option. As for my housemate, he rarely prints and puts up with my nerdy security restrictions with minimal grumbling.
If you work in an office and try to implement such security and policies where people have to switch onto the printer wi-fi to print, plan some time for explanations and training.
Explain the risks. Start by explaining how malware works. Explain how it jumps from machine to machine on the network. Use the examples and explanations in my book if you want. I specifically explain these concepts at an executive level to help people understand why these things matter for cybersecurity.
Explain limitations and use. Once people understand the risk, you’ll need to explain to them that if they want to print a document on the Internet, they need to download the document to their local machine prior to switching to the printer network. That’s the one thing that is kind of a pain and if people aren’t trained in advance, they might not understand why they cannot print a document that appears to be loaded in their browser.
Other than that, it’s a beautiful feature that minimizes a lot of risk, in my opinion. Network security is your friend. If there’s no path on the network, there’s no way in and no way out. If you minimize the time that path is open you’re minimizing the time an attacker has to carry out an attack. Prevent other insecure IOT devices on your other wi-fi networks from reaching your printer and devices storing sensitive data.
Teri Radichel
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
All the posts in this series:
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
