Most modern printers come with support for either wired or wireless network connectivity (or both!) to enable easy printing from all your networked devices. The products are designed to be easy to use: Just plug them in, put a CD into a computer, run the setup utility, and you’ll be good to go!
Unfortunately, this ease of use is provided at the expense of the security of the devices. Information Security has been diligent in telling systems administrators to turn off services on their servers, but printers have gone largely unnoticed. Many printers now run ftp servers, web servers, nfs and smb file shares, snmp, telnet, and dozens of other unnecessary services. These services put the device at risk.
What is the risk?
When asked, people often think that the consequences of an unsecured network printer might be “spam” in the form of unwanted printouts, or perhaps a “cute” message on the printer’s LCD screen. A more malicious attacker might reconfigure the printer’s network address to have it conflict with another address that is in use. The risks go deeper than these nuisances, however. In some cases it is possible for Internet users in remote locations to retrieve print jobs that are in progress, or even those that are already complete! Imagine the surprise of finding that your budget proposal, student grades, or salary review being read by someone in another country!
On May 21, 2007 the Incident Response Team issued a security advisory that discusses privacy and security issues involving printers.
Addressing the risk
Step 1: Secure your printer.
All printer vendors offer some sort of advice on how to secure the printer you just bought. See the vendor section below for a place to get started.
- Use Network Access Control Lists (ACLs) or Printer Firewall Rules to only accept network traffic from the BU Campus IP Address Space . Check the product manual for settings.
- Disable protocols that aren’t need for printing such as SMB, SSH, FTP. Typically only DIPRINT/JetDirect/RAW, IPP, LPR are required for printing
- Set SNMP to read only to prevent device setting modification
- Change default password of administrator account
Disable IPv6, as some printer firewall/ACLs don’t block this traffic
- Update device Firmware
Step 2: Move your printer to non-routable addresses
Printers, as well as file servers, can be protected by putting them on IP Addresses that cannot be routed over the Internet. These addresses, often called “10-net addresses” because they are of the form 10.x.y.z, can be established for all departments on the Charles River Campus and can be made accessible from anywhere on campus, including via our VPN services, but are always inaccessible from off-campus. This can be a huge win for security.
Step 3: Request an Audit!
We have the ability to remotely audit your printer and see what services are running that might be exploited. Doing so requires some coordination as we may cause your printer to print garbage or even hang it so that it requires a power cycle to be used again. In the end, however, we can give you a good impression of how secure, or not secure, your device is.
Step 4: Tell us about your experiences!
There are so many printers out there we can’t possible write a guide for all of them. However, if you have a printer and have figured out how to lock it down, let us know! We’d be happy to help you share your procedures.
Xerox Product Security Guidance