Printer Exploitation in Corporate Environments
Printer Exploitation in Corporate Environments is quiet common and frequently faced during penetration tests .Printers are an integral part of the Corporate environments today .Printers are not very different from the Computers , and are easily open to exploitation and come with tons of vulnerabilities . Printer Exploitation is serious problem, similar to those faced with computers, since they are connected to the network like other devices. In earlier times, printers just had the function to print the requested data. As technology developed, new printers were used with inbuilt memory and various security features.Printer exploitation or vulnerability has resulted in increase of corporate espionage and gathering of highly sensitive information.
How the Printer Exploitation Happens :
Printers are more vulnerable to attacks nowadays because most of the companies give importance to the security of the PC’s in their offices. But the truth is, most of the highly sensitive data stored in PCs when printed are stored in printers that can be exploited from internal to reproduce the prints. Attacks can be done in different ways. Some of them are listed below:
Authentication processes being bypassed:
Many of the MFP’s in corporate settings have authentication mechanisms for controlling the users who are going to access the device. Thus each company can keep a log of employees using the printer. They have to log in with their credentials to unlock the MFP to use it, i.e., with an RFID key, fingerprint, swipe card, lightweight directory accessory protocol (LDAP). But most of these can be skipped by the MFP network access, allowing hackers to bypass the security and print the information.
Work assigned to system users
A hacker can take advantage of the vulnerabilities in the printer and can modify the data pre-defined in the printer. The permissions assigned to different users may be different. Once bypassed, this information could be edited, depending on the hacker’s requirement.
Personal devices with OS
The mixture of mobile apps, cloud printing technology, and the continuous penetration of OS-based personal devices in companies has made it is easy for every attacker. An attacker could develop a malware for such device, which could be used to gain access to the printers connected in the network. After gaining access, the entire network can be bypassed easily.
It’s a type of attack in which the SQL function spyware is installed into the firmware by the attacker. The continued use of many web-based features or applications may lead to a phishing attack, through which the attacker deploys malware to the desired location. The threat level of the printer is same as that of a PC. Any person can access a MFP physically or electronically if they aren’t securely controlled or protected, which leads to leakage of information from MFP tray or by maliciously accessing printed data from network.
Learn more about SQL Injection in detail here :
Denial of service
The amount of data to be printed varies according to the request made by the user. Since these all are processed through networks in MNC’s, by increasing the traffic in such networks an attacker could bring down the device. The large number of request made by intruder might be a bit difficult to handle. This could result in the malfunction of the printer.
Learn more about denial of service attacks here :
Most of the corporate companies MFPs handle a large amount of information and disk drives integration. Access from unauthorized personnel gives sensitive information that is revealed by scanning. E.g.: The NYPD sold their MFPs, exposing details of an ongoing investigation during 2010.
Network sniffer device
A chip can be replaced on printer’s circuit board and also by firmware modification. It can be plugged into network’s port of MFPs, which can be used to store or forward data packet information.
Learn more about network sniffing here :
These management services have highly documented security problems. Cross-site scripting fools the user into connecting to web server of printer but actually is communicating to attacker.
Printer job language sends printers status information to a program application. It controls file system along with printer’s settings. It can be hacked easily by brute force attack. Many hacker tools are also available to grant full system access by changing the settings.
FTP bounce attack
Anonymous FTP servers are used to drop print jobs into MFPs. Passive mode FTP provides passive FTP forwarding, making it vulnerable. This helps us to use it as a proxy server, which allow the hiding of IP address of the attacker, making it untraceable and redirecting without discovering of network attacks.
Most of the MFPs have backdoor administrator access. Attackers can access through a default password by SNMP (simple network management protocol), since it is stored in the SNMP variable from where anyone can access if they know location of variable or address of the MFP. Structure of the network can be obtained through just sniffing the SNMP traffic.
Some threats hackers cause while they exploit printers are:
- Intercepted unencrypted information and stored data.
- Spam and making services unavailable.
- Exploring passwords and administration of network-connected devices.
- Data or information can be altered or corrupted.
- Crash vulnerable printers.
- Can retrieve previously printed data and information’s.
- Printing information while a task is in queue; then the information is vulnerable and unencrypted, leading to espionage and theft.
- Remaining residual data can also cause risk.
- Hacked printer can also cause pathway for attacking the PCs on the network.
- MFP blocks updates to firmware, ensuring non-removal of infection.
- APTs (advanced persistent threats).
- Modification of parameters by insertion of unexpected character can even cause printers to be knocked offline, which leads to resetting it manually.
- Hackers can use touch screen technology in printers by just altering the FTP settings.
Security and Protection Measures
Printer configuration varies according to different models along with its manufactures but security steps are almost similar for all. Many steps can be taken to strengthen the security of the MFPs. These could be mainly divided into three:
- Secure remote management of MFP’s
- Secure printer network interfaces
- Secure accessing and data
Steps to Secure the Printer:
- Configure according to default deny policy and secure password reset.
- Protect the network with efficient firewall hardware.
- Allow communications only with secured or trusted networks and hosts.
- Updating of printer firmware by administrator regularly.
- Available tools, such as digital management tools, should be used to secure sensitive data and information from loss or theft.
- Including MFPs in standard policies and regulations.
- Unused protocols (e.g.. AppleTalk) or services (e.g., telnet, web, ftp, and SNMP) are to be turned off. Also use secure options for printing if available.
- Utilization of access control list (ACL) in the product can restrict usage of MFP to a pre-defined set of clients.
- Change of network printer password and transmission of it in clear text over the network.
- Access control at the MFP and also level of functioning to individuals, groups, activities etc.
- MFP having direct software integrated device operating with whitelisting method. This means allowing of approved files and embedded system protection, thus providing tracking of time with the origin of the attack.
- Allow any enabled remote access services to create strong passwords.
- Enabling of SSL state for network management in the case of https for the encrypted network data transport.
- Configuration of syslog, which supports remote logging by connecting to network security’s server or departmental monitoring server.
- Change of default community string.
- Allowing to send logs having genuine authentication.
- Use of services with remote control like FTP.
- Use of corporate-only network address so that MFP is not available to Internet or Web.
- Audit logging integrates real-time tracking by intrusion detection system obtaining potential risks.
- Usage of only digitally signed firmware by vendors.
- SNMPv3 for data encryption components with extensive secure capabilities for remote management.
- Separation of fax/network from each other.
- Use of NTP Protocol for clock synchronization.
- TCP connection and port filtering.
- Controlling network traffic by encryption and authentication.
- TLS to secure LDAP and having security templates.
- Auto insertion of email addresses, causing eradication of anonymous emails.
- Confidential print will help remove print jobs in RAM after an elapsed time set.
- Encryption of hard disk with AES key and physical lock support.
- Both automatic disk and out-of-service disk wipe should be configured.
- Non-volatile memory wipe helps to clean forms of flash memory.
Check security of the data transmission across the workflow.