Printers tested by researchers
Printers tested by researchers

"Printers are everywhere!," and while a decade ago this would have been a good thing, as we've got more conscious about security, this statement is now a cause for concern.

There have been numerous reports in the past years that have induced a state of dread when it comes to printer security, but none as ominous as recent research published this week by three academics from Germany.

In their analysis of overall printer security, the three looked at different brands of simple and multifunctional printers, such as HP, Brother, Lexmark, Dell, Samsung, Konica, OKI, and Kyocera, which they collected from fellow faculty members.

Researchers created a tool to automate printer security testing

Using a custom-made tool called PRET (Printer Exploitation Toolkit), researchers automated local (USB), network (LAN), or remote (Internet) attacks on printers using both old and new security bugs.

The researcher team used PRET to run exploits that leveraged attack vectors via PostScript and Printer Job Language (PJL), two languages supported by most of today's major printer vendors.

The team showed that an attacker could gain access to a printer's NVRAM (non-volatile memory) and extract content such as sensitive documents, passwords, and others.

Furthermore, bugs found in multifunctional printers exposed more data, such as passwords for local SMB, FTP, LDAP, SMTP, or POP3 servers, with which the "smart" printer was configured to interact.

Other security flaws allowed the attackers to crash printers or cause damage to some of the printer's physical components.

Vulnerabilities disclosed several years ago remained unpatched

Some of these bugs were new, while others have been known publicly for years, but few vendors bothered to patch them, showing the sorry state of security in the printer market.

Printer security evaluation

But researchers didn't only analyze the printer themselves, but adjacent services like Google Cloud Print, a service that lets users print documents from anywhere, on any printer.

Here too, researchers found bugs and also warned that similar services like the one offered by Epson, or Apple's AirPrint, could be vulnerable as well.

Only two vendors responded

Of all the printer makers the researchers contacted last fall, only Dell and Google responded, with Google offering the team a bug bounty of $3133.70 for their work.

The lack of response from other vendors shows why most of these devices have remained unpatched.

Knowing that printers are everywhere and they can leak sensitive information, these devices are precious reconnaissance and pivot points for any hacker trying to breach sensitive enterprise networks.

More details about the discovered vulnerabilities and exploitation scenarios are available in the researchers' paper titled "SoK: Exploiting Network Printers," a blog post summarizing their research, and a website dedicated to improving printer security.