Most modern printers come with support for either wired or wireless network connectivity (or both!) to enable easy printing from all your networked devices.\u00a0 The products are designed to be easy to use: Just plug them in, put a CD into a computer, run the setup utility, and you’ll be good to go!<\/p>\n
Unfortunately, this ease of use is provided at the expense of the security of the devices.\u00a0 Information Security has been diligent in telling systems administrators to turn off services on their servers, but printers have gone largely unnoticed.\u00a0 Many printers now run ftp servers, web servers, nfs and smb file shares, snmp, telnet, and dozens of other unnecessary services.\u00a0 These services put the device at risk.<\/p>\n
When asked, people often think that the consequences of an unsecured network printer might be “spam” in the form of unwanted printouts, or perhaps a “cute” message on the printer’s LCD screen.\u00a0 A more malicious attacker might reconfigure the printer’s network address to have it conflict with another address that is in use.\u00a0 The risks go deeper than these nuisances, however.\u00a0 In some cases it is possible for Internet users in remote locations to retrieve print jobs that are in progress, or even those that are already complete!\u00a0 Imagine the surprise of finding that your budget proposal, student grades, or salary review being read by someone in another country!<\/p>\n
On May 21, 2007 the Incident Response Team issued a security advisory<\/a> that discusses privacy and security issues involving printers.<\/p>\n Step 1: Secure your printer.<\/strong><\/p>\n All printer vendors offer some sort of advice on how to secure the printer you just bought.\u00a0 See the vendor section below for a place to get started.<\/p>\n Step 2: Move your printer to non-routable addresses<\/strong><\/p>\n Printers, as well as file servers, can be protected by putting them on IP Addresses that cannot be routed over the Internet.\u00a0 These addresses, often called “10-net addresses” because they are of the form 10.x.y.z, can be established for all departments on the Charles River Campus and can be made accessible from anywhere on campus, including via our VPN services, but are always inaccessible from off-campus.\u00a0 This can be a huge win for security.<\/p>\n Step 3: Request an Audit!<\/strong><\/p>\n We have the ability to remotely audit your printer and see what services are running that might be exploited.\u00a0 Doing so requires some coordination as we may cause your printer to print garbage or even hang it so that it requires a power cycle to be used again.\u00a0 In the end, however, we can give you a good impression of how secure, or not secure, your device is.<\/p>\n Step 4: Tell us about your experiences!<\/strong><\/p>\n There are so many printers out there we can’t possible write a guide for all of them.\u00a0 However, if you have a printer and have figured out how to lock it down, let us know!\u00a0 We’d be happy to help you share your procedures.<\/p>\nAddressing the risk<\/h3>\n
\n
Vendor Resources<\/h3>\n