How to protect the original IoT device: The printer

Printers aren’t just jam-prone machines that frustrate IT pros and employees alike. These days, many are effectively giant computers, complete with hard drives and internet connectivity. The increasingly sophisticated nature of the printer calls for a checklist of security safeguards. The defenses—including firmware updates, network segmentation, and configuration policies—are especially important when the smashable, but not unhackable, printers end up on the bottom of the IT pro’s to-do list.

IT organizations today are focused on digital transformation and keeping pace with competition, Bryan Willett, CISO at the imaging and printing product provider Lexmark International, said.

“When you talk about printers, it’s not top of mind for them. It’s not what drives probably the majority of their meetings every day,” Willett told IT Brew.

Testing, testing. Penetration testers and security researchers frequently point out printer-related attack possibilities. In January, the cybersecurity company Trustwave said it found a vulnerability in the Kyocera printer’s web application that “allows attackers to coerce authentication attempts to their own resources.”

Companies like HP have had to release firmware updates after a reported vulnerability, like one from Trend Micro’s Zero Day Initiative team in early 2022. The ZDI team found HP Print products potentially vulnerable to remote code execution and buffer overflow, which corrupts an application by sending it large amounts of data.

Print IoT out. The web-connected printer is a classic example of an Internet of Things (IoT).

“And it’s probably one of the more powerful ones that you have, because they have a lot of memory and processor on them, unlike a lot of smart devices,” Chester Wisniewski, director and global field CTO at the cybersecurity company Sophos, told IT Brew.

And IoT malware is on the rise, according to a report from the cloud-security company Zscaler, which discovered 300,000 blocked attacks from known IoT threat actors and a “400% increase in IoT malware,” when comparing the first half of 2023 with the same time period in 2022. An April 2023 report from Bitdefender found that the average US household has 46 internet-connected devices and experiences an average of eight attacks daily.

IoT devices—from smart cameras to aquarium thermometers—have been an entrypoint for malicious hackers. A printer could be a starting point, too, according to Wisniewski.

“Once somebody’s on there, there’s an operating system; they can hide on that thing and use it as a jumping-off point to attack other devices in the network,” Wisniewski said.

And the on-network compromise can happen just as easily on-prem.

An IoT device “just sits there,” Robert Clyde, past board chair at the global IT association ISACA and chairman and board director at the IoT security company Crypto Quantique, told IT Brew, meaning that, theoretically, an insider could walk up to it, add a USB, and install new firmware.

“The danger of IoT devices versus our phones, notebooks, and tablets is that those are almost always in our possession,” Clyde said.

So, what to do?

• Install new firmware…but the vendor-approved kind. “If the device is running older firmware, that means that these hackers have access to known vulnerabilities,” Shivaun Albright, chief technologist of printing security at HP, said.
• Set a complex admin password, Willett suggested.
• Eliminate any unnecessary services like “file transfer protocol” (FTP) and Telnet, a remote communication protocol. FTP could lead to an extraction of hard-drive data and Telnet may lead to operating-system access, Clyde said.
• Segmentation: Make sure firewall rules only allow specific systems to access the printer. “If I managed to compromise that printer in finance, maybe I can attack the seven workstations in finance, but I can’t use that as a launching pad to then attack the entire server infrastructure of the company,” Wisniewski told IT Brew.

Conducting the above protections sounds easy enough, but IT pros’ history of frustrations with printers may hinder attempts to protect them.

“The frustration can lead to complacency and, ‘I just don’t want to worry about it. I’m just going to ignore it.’ That, I think, is the biggest problem,” Clyde said.