Flawed office printers are a silent but serious target for hackers

You probably don’t think too much about your humble office printer. But they’re a prime target for hackers, if any of the dozens of vulnerabilities found by security researchers are anything to go by.

The latest research by the NCC Group just revealed at the Def Con security conference shows just how easy of a target office printers can be.

Think about it: Office printers at some of the largest organizations in finance, government and tech all print corporate secrets — and classified material — and often keep a recorded copy in their memory. Printers are also complicated devices — more so than most people realize — with multiple internet-connected components, networking protocols, printer languages and fonts and connected apps and devices, all of which have vulnerabilities.

No wonder they’re a target; office printers are a treasure trove of sensitive data. And because they often come with a web-based interface or an internet connection, they have a huge attack surface, making them easy to hack.

In the course of three months’ work, researchers Daniel Romero and Mario Rivas found and reported 45 separate vulnerabilities from six of the largest printer makers — HP, Lexmark, Brother, Xerox, Ricoh and Kyocera — which could have allowed attackers to, among other things, siphon off copies of print jobs to an attacker-controlled server.

They also showed they could hijack and enlist vulnerable printers into botnets — used to overload websites with junk internet traffic. Or, with little effort, they could brick the printers completely, potentially causing havoc for business operations.

“Suppose a criminal developed an [exploit] that sought to compromise and permanently corrupt every vulnerable printer; this would severely impact the world’s ability to print, and could be catastrophic for affected sectors that rely heavily on printed documents, such as healthcare, legal and financial services,” said Romero and Rivas.

Not only that, printers can also be used as a way to gain a “method of persistence on a network,” the researchers said, allowing them to gain deeper access into a corporate network from an easy point of entry.

Because in most cases printers aren’t protected by anti-malware services like desktops and laptops, a malicious attacker could gain a permanent backdoor on the devices, giving them long-term access to a target corporate network.

When the researchers reported the bugs, they received mixed responses from the companies. Although every printer maker has since fixed the bugs they found, the researchers said some printer makers didn’t have a way to disclose the vulnerabilities, leaving them stranded and unable to make contact with some companies for more than two months.

Lexmark, which fixed nine vulnerabilities and issued its own security advisories, received a special mention for its “mature” vulnerability disclosure effort.

HP also issued a security advisory, noting the five bugs it received and later fixed.

But the researchers said there are “probably more” bugs ready to be found. “We stopped searching after a few vulnerabilities,” they said. What makes matters worse is that most printer makers share code from one device to another, likely vastly expanding the number of devices affected by a single vulnerability.

Maybe next time, think before you print.