Raising the Bar for Printer Security

HP Canada recently hosted a Printer Security tech day for a small number of participants that they considered influencers. Recognizing my contributions to both the Atlantic Security Conference (AtlSecCon) and the Halifax Area Security Klatch (HASK) I was fortunate enough to be included as one of the seven attendees.

After it was identified that some of my friends and peers would also be attending I agreed to participate without hesitation. A free lunch and some time to catch up over drinks with friends sounded like a great idea, besides Mississauga in early February what could go wrong right? Well after a few flight delays for some we were all welcomed to the HP Canada offices located in Mississauga.

Having worked in the office equipment industry very early in my career (yes, I was “The Copier repair guy”) I must admit I was not expecting to learn anything new, boy was I mistaken. To HP’s credit they were completely transparent and after a few presentations a clear security narrative started to emerge for the protection of Devices, Data and Documents.

Understanding the Threat

Printers ship with default passwords and may store Active Directory credentials for authentication via LDAP to send scanned/printed documents to file shares. Printers are inherently insecure and can also often be coaxed into providing LM hashes. One of my go to reference books is “The Hacker Playbook 2” by Peter Kim, in it the author identifies printers as an attractive target to gain a foothold into a network before moving laterally and penetrating even deeper.

https://www.goodreads.com/book/show/25791488-the-hacker-playbook-2

How big is the problem?

Shodan.io is a search engine that enables the user to easily find internet connected devices like webcams, routers and of course printers. Recent search results indicate that there are a significant number of internet connected printers with the most common service available being http. Any authentication via (http) for the web management interface of these devices is likely basic authentication and can easily be bypassed, but hey, default passwords are likely to work... right…

 https://www.shodan.io/report/JDXKGwoK

What can we do about it?

We have to change the way we think about these devices, having large compute and storage resources, a web interface and access to and/or copies of your most sensitive data needs to be considered when discussing printers. Simply put, as these devices become more sophisticated, vulnerabilities increase. As Information Security and Cybersecurity practitioners we must include and consider printers as endpoints and apply risk management practices accordingly.

Covering Your Assets – Practical Advice

Protecting the Endpoint

·        Harden devices leveraging best practices such as disabling unused protocols, closing unused ports and changing any default passwords.

·        Control access to print device settings and functions with administrative controls.

·        Include security feature requirements in the procurement process, like centralized security policy management and the ability to insure only authorized firmware and software can be installed and executed.

Protecting the Data

·        Leverage encryption to insure print job data is protected while in transit and while at rest.

·        Require user authentication to access the device and its features.

·        Asset management lifecycle must include secure destruction practices to insure removal/erasure of data before recycling old products.

·        Leverage secure printing solutions to enable printing from mobile devices

Protecting the Documents

·        Store print jobs until the user authenticates at the device before printing (pull printing).

·        Use secure input trays to protect sensitive media like checks and prescriptions

·        For regular printing of sensitive information consider moving printers to a controlled access area

·        Enable anti-counterfeiting solutions such as security toner to prevent the alteration and tampering of sensitive documents.

Some Internet History and an Infamous Guest speaker

After a day of talks and interaction with various HP professionals it was a surprise and a pleasure to meet Michael Calce. Mafiaboy, Calce’s hacker handle was responsible for a number of highly publicized distributed denial of service attacks (DDoS) against large commercial websites including Dell, CNN, eBay and Yahoo! In 1999 and 2000.

Early in my information security career I had the opportunity to attend a local High Tech Crime Investigation Association (HTCIA) conference in Halifax. The keynote was from one of the FBI’s lead investigators handling the “Mafiaboy” DDoS case. During this presentation they profiled Mafiaboy and portrayed him as a hardened criminal fitting every hacker stereotype available.

Meeting Michael was an opportunity to hear his side of the story and what those events were like for him at fifteen years old. He openly communicated that he has since reformed and he now serves as Chairman of the Security Advisory Board for HP. Welcome to the blue team Michael, as defenders we are glad to have you.

#HP #PrintSecurity

Many thanks to HP Canada for including me.

Learn more about HP’s Secure Printing Solutions

BANZAI!

Koz