Printer hacking in the age of the IoT

Print and be damned? If the right security measures aren't in place, that could well be an organisation's fate
Analyst and research firm Quocirca released findings last year that showed over 60% of organisations had experienced at least one data breach, due to insecure printing practices. Over the past few years, there have been some widely publicised network printer hacks, usually pranks and in themselves not particularly harmful, but they underline the potential vulnerability of networked printers in the age of the IoT.

It comes as no surprise, therefore, that 95% of businesses surveyed by Quocirca reported that print security was an important element of their overall information security strategy (55% said it was very important, while 40% rated it fairly important). However, only 25% reported that they are completely confident that their print infrastructure is protected from threats.

"While connected printers and MFPs bring convenience and productivity, they also bring potential security risks," says Louella Fernandes, director, Quocirca. "These devices capture, process, store and output information, and run embedded software. Information is therefore susceptible at a device, document and network level. As well as putting confidential or sensitive data at risk of being accessible by unauthorised users, network connectivity makes vulnerable print devices potential entry points to the corporate network."

Open network ports present a security risk, enabling the MFP to be hacked remotely via an internet connection, she adds. "Printers can therefore be prime targets for DDoS attacks. Hackers may install malware on poorly protected printers and use them as ingress points for broader network access or recruit them to botnets." Indeed, when asked what aspects about printers as IoT devices concerned them most, the businesses surveyed by Quocirca found that external hacker threats came out top (52% said a critical or big concern), followed by DDoS attacks to print devices (44%). Internal hacker, firmware updates and third-party collection of data tied for third place (41%).

Nor is use of printers going away any time soon," insists Fernandes. "Quocirca's Print2025 study found that 64% of businesses surveyed across France, Germany, The Netherlands, the US and the UK expect printing to still be important in 2025. That number rises to approximately three-quarters of millennials who expect it to be more important than it is today (that may say something about the current resurgence of printed books over ebooks and reflect how millennials' attitudes differ from their predecessors in the workplace).

"While printing volumes will ultimately decline, there are also some 'sweet spots' in printer growth, most notably mobile printing. Over half of the companies surveyed expect mobile printing to increase by 2025 and over 40% have already implemented mobile printing to one extent or another."

Clearly, as networked print devices continue to be central to the way most organisations operate, they need to have robust security protection. "While more printer manufacturers are embedding security in their new devices, it only takes one rogue, unsecured device to weaken security," she points out. "Most businesses using printers have a mixed fleet of printing devices - old and new - and from different manufacturers. This is why businesses need to include printers within their wider enterprise-wide security strategies, integrated into an overall security policies and procedures, using a proactive and multifaceted approach."

How can you step up your printer security? Quocirca offers these seven steps:

• A unified security policy for all printers - should a date breach occur, an organisation needs to be able to demonstrate that appropriate measures were taken to protect all networked devices, so it is important to be able to monitor, manage and report on the entire printer fleet, regardless of age, brand or model

• Secure printer-network access - multi-functions, like any other device connected to the network, need controls that limit access, manage the use of network protocols and ports, plus take steps to prevent potential viruses and malware

• Secure the device itself - to secure data, whether actively in use, sitting idle or used by the device in a previous job, use hard disk encryption as an extra security layer. When the printer is moved or reaches end-of-life, data overwrite kits make sure that all scan, print, copy and fax data stored on the hard disk drive is destroyed

• Secure who can do what - in common with many other forms of Infosecurity, user authentication helps to eliminate the risk of unclaimed output being left in trays. 'Pull printing' makes sure that documents are only released physically at the printer to the authorised recipient

• Secure the document itself - digital rights management (DRM) discourages unauthorised copying or transmission of sensitive or confidential information, using features such as secure watermarking, digital signatures and PDF encryption.

• Monitor and manage print security on-going - organisations need a centralised and flexible way to monitor usage across all print devices, at document and user level, which can be achieved using either MFP audit log data or third-party tools. These provide a full audit trail that logs the identity of each user, the time of use and details of the specific functions that were performed

• Seek expert guidance - security assessment services are something that managed print service (MSP) providers offer as part of the customer relationship. Not all are equal. Obviously, it makes sense to ensure that the risk assessor has the credentials and capabilities to fully evaluate the security risks across device, data and users.

In addition, the most sophisticated security assessments not only make recommendations for device replacement and optimisation, but also offer ongoing and proactive monitoring of devices to identify potential malicious behaviour.

"The bottom line is that printers are no longer dumb devices, but sophisticated ingress and egress points in a connected, increasingly IoT-centric world," Fernandes concludes. "Businesses clearly need to incorporate print into their overall security strategies, help users to use printers safely and also to work with their printer service providers. After all, print will continue to be part of the workplace for some time to come and, while just one element of a multi-faceted threat landscape, print is an area of risk that deserves more focus."