Modern high-volume production printers are more than just output devices. They are sophisticated network and computing platforms that can become an open door to hackers and malicious software vulnerabilities. Just think: Everything you receive in the mail was printed somewhere. Your tax bill, your credit card statement, your banking documents, even important legal papers all originated on some computer system, which sent a composed document to a production printer.
In the early days, printers were output devices connected via various physical peripheral interfaces. The original IBM 1403 line printer introduced in 1959 used a high-speed chain to imprint up to 6¼ feet per second of 11 x 14-inch fanfold pinfeed “greenbar” paper at greater than an average of 23 pages per minute. When running at full throttle, the device sounded like “somewhere between a power saw and a jet airplane,” according to its operators. The worst that could happen back then was to hear silence, which was a rare event, but indicated a system problem like when the mainframe was waiting for a control signal from the printer, but the printer control tape did not have that particular “channel” hole punched, causing blank paper to slew at top speed in an endless loop.
Today’s printers are network devices. Even small desktop printers have integrated Wi-Fi or ethernet and are very much part of the Internet of Things (IoT). These printers can have significant vulnerabilities and can sometimes be used as part of a “botnet” that hackers use to conduct a distributed denial of service (DDoS) attack. In the worst-case scenario, large production printers can be penetrated, allowing the hackers to listen to network traffic, steal documents, and install malware to take control of the device and return later for more damaging activities.
Printer manufacturers are aware of these vulnerabilities, but many consumer printer models still use hard-coded “admin” passwords that are rarely changed. Here are some examples of real-world attacks on printers and the dangerous consequences:
· Criminals have disabled printers that confirm SWIFT network transfers during attacks on numerous banks in India.
· Ransomware known as Mamba, or HDDCryptor, can shut down printers by spreading across network shares via server message block.
· In 2010, a CBS News investigative reporter bought four printers for about $300 each and was able to recover pay stubs, domestic violence complaints, building design plans, and more.
· In 2013, the Department of Health and Human Services fined one company $1.2 million for HIPAA violations for failing to erase healthcare records saved on a printer it had leased.
· In 2016, an internet troll caused printers worldwide to print an anti-Semitic flyer by sending a PostScript file to exposed Port 9100s.
· In 2017, hacker "Stackoverflowin" created an automated script that finds exposed printer ports and sends a print job to the machine that warns users of its vulnerability.
In professional IT print and document distribution operations, it is always necessary to secure every network device that can become a vector for hackers to steal, ransom, or destroy valuable data. The US government has strict standards governed by frameworks like NIST 800-53. The federal government’s Defense Information Systems Agency has developed Security Technical Implementation Guides (STIGs) that agencies like the IRS use in their device-hardening standards. These comprehensive Safeguard Computer Security Evaluation Matrices (SCSEMs) provide guidance for auditors to ensure each printer is as secure as it can be.
The standards for meeting IRS requirements for securing Federal Tax Information (FTI) are extremely strict and detailed. These standards serve as a useful goal for any organization interested in securing its valuable data. At a minimum, each printer should be treated like any other network device and included in vulnerability scans. Some other recommended actions are:
· Does the printer alert appropriate officials in the organization in the event of an audit processing failure? Printers must be configured to record all relevant details of files processed.
· Does the printer authenticate all devices or accounts to which it is permitted to accept or initiate connections? Printers must authenticate all connections.
· Does the vendor have a CIS benchmark for the printer’s operating system? For example, Xerox has a benchmark called the Federal Overlay, which must be applied to all printers to comply with federal hardening standards.
· Do users require passwords to manage or configure the printer? All printers must authenticate users using passwords, having similar complexity requirements as network or workstation logins.
· Does the printer’s console have a timeout period? All printers with consoles must have a timeout of a maximum of 30 minutes, after which the user must log in again.
Printers do not ship secure out of the box. Organizations that operate production printers, or even desktop printers, used in sensitive or moderate risk applications must take the time to research, plan, and implement printer security, just as they would with the most sophisticated servers, desktop workstations, or network devices. Don’t forget that a modern printer is just as vulnerable as any other part of the network. Don’t let your printer be an open door to hackers.
Steve Berman is Director of Risk and Compliance for DATAMATX, one of the nation’s largest privately held full-service providers of high-volume print and electronic transactional communications. For more information, visit www.datamatx.com.
This article originally appeared in the September/October, 2022 issue of Mailing Systems Technology.