Protecting Printers

The Army, and the world in general, has been slow to accept the fact that anything on a network can present a risk to that network.   Routinely, we’ll place a device on the network without properly configuring it, patching it, or securing it without a second thought.  Even on the occasion that we do think about the security of that device, we look at the device as being unimportant and it doesn’t really matter if it is compromised.  We fail to recognize that a compromised device on the network is a beachhead on our network which can give an attacker a great starting point to finding his way to much more important systems.

It should be remembered that the attack on Targets credit card system in late 2013 was ultimately traced back to a set of compromised credentials for an out heating/air conditioning company that was used to log into Target’s contracting system.  These credentials which had absolutely nothing to do with the credit card system gave the attackers the inside access that they needed to ultimately expand into the point of sale system.

Today we’re going to talk about a device that is almost always present on our networks, but is also routinely neglected.  It routinely receives highly classified traffic and yet people are able to walk right up to it without a second though; our printers.

What once was nothing more than a device that could connect to a computer and print a matrix of dots onto paper (you remember having to tear off the individual sheets along with the feed tracks after you printed?) is now a highly complex device that can scan, copy, and of course print high quality color documents with the push of the button.  Where they were once connected directly to a single computer, we now connect them to the network where they can easily print thousands of pages each and every day in a busy TOC.  From homework assignments to classified operations orders, the printers on our network see just about everything there is to see.

Threats to Printers

Rogue PrinterSo how harmful can a printer be to the network?  Well, it kind of depends on the model printer but here are a few things.  An attacker could conceivably send multiple large print jobs which would tie up the system, waste paper, and waste ink.  Yes, I realize it’s not the end of the world but it it’s a pain in the ass.  Taking it up a notch in threat level, the guy could corrupt the printer’s firmware and essentially leave it as a brick.  Again, this isn’t the end of the world but could definitely cause a disruption to operations.

Up until now, these effects have been annoying but relatively harmless; however this is not where it ends.  In the past, some printers have been vulnerable to modified firmware (which was able to be uploaded without even an administrative password even if it was set) that printed documents like normal, however in the process, it could also send a copy of the data stream to another location, essentially allowing an attacker to see anything that was sent to the printer.  Another vulnerability has been found in some printers that allowed an attacker to send a data packet to the printer which would then rebroadcast it to a desirable location, essentially allowing the attacker to scan your network but on the off chance the scan was detected, it would appear to be coming from your own printer instead of the attacker.  And furthermore, because the packet was originating from within your own network, it is much more likely to be able to move freely through firewalls and other access control devices.

Finally since most printers these days include a built-in web server (which in many cases can’t be turned off) it is possible for an attacker to add or overwrite existing HTML files within the printer to suit their own purpose.  In one case, the page was modified with a redirect that sent visitors to the attacker’s site.  Again because the printer exists in our own IP space as well as on our own DNS servers, it is very likely that normal filters that are in place to catch spam and other attacks may allow this to go through.

How to Protect the Printers

Defending the NetworkSo as stupid as it sounds, how do we protect the printers?  To start with, as with most things on the network, there’s a STIG for that.  I have included the current one (24 Oct 2014) or you can look for an updated one on the DISA STIG site.  Surprisingly what I would consider the number one thing you can do (and probably the easiest) is actually the fourth item on the list….Change the password (or in many cases, put a password on).  Almost every printer now has the ability to set a password (and in many cases an SNMP community string) to protect the printer, however in many cases this is never done leaving well-known default or no passwords at all.  With administrative access to the printer, an attacker has the ability to do pretty much whatever they want to (including everything listed above).

Next, server guys talk about it all the time when it comes to workstations, but rarely do we ever talk about turning off unneeded services on printers.  Many printers have a variety of services running off of them in the background from FTP, to web servers, to a variety of others.  While some of these may be needed to allow the printer to work the way we need it to, in most cases there are unnecessary services running that leave openings for an attacker.  Some printers allow these services to be turned off while others don’t.  At the very least, break-out the owner’s manual and Google and see if it is possible to turn them off.

Another item that is not directly in the STIG but is kind of hinted at (and is how the NECs operate) is to put the printers on a completely separate VLAN away from all clients.  With WIN-T Inc1, this is very easy, just create another VLAN on your Tier 2 switch and trunk it out onto your access switches.  Yes the ports that our printers plug into will have to be specifically configured for this VLAN instead of the normal data one, but that isn’t the end of the world especially considering most TOCs only have a few printers around anyway.  By putting it on a separate VLAN, we now have the ability to control everything that enters onto the VLAN through the use of either the firewall or more likely a simple extended access-control list.  I personally would recommend that you filter for two things:  1.  That you only allow data from the locally hosted networks to enter that VLAN (is there really a reason why someone from outside of that TOC would need to print on that printer anyway?) and 2.  That you allow only the specific ports that are required for the printers to operate to enter.  This will help alleviate the problem of services that can’t be turned off directly from the printer.

While the ports that are required to be allowed through will change from printer to printer (or more likely by manufacture), HP requires the following ports:

  • Printing:  Inbound TCP 9100 / Outbound UDP 427, 137, 161
  • Scanning:  Inbound TCP 9220, 9500 / Outbound 427
  • Device Status:  Inbound UDP 161
  • Device Installation:  Inbound UDP 427

(Again check with your specific owner’s manual for actual ports that your device may need).

Finally, last but not least, upgrade the firmware on the printers.  We routinely patch our workstations, but never take the time to ensure that we have the current firmware for our printers and other attached network devices.  While patches for them are not released nearly as regularly as they are for Windows and other systems, they are out there and should be upgraded to protect against previously identified vulnerabilities.

Other Information

There is a lot of information out there about printer vulnerabilities, just spend a little bit of time on Google and you will find everything you could want and more.  One site I want to point out that really opened my eyes is Irongeek.com which has a posting on a huge number of printer exploits with detailed information (the post is a little old, but appears to still be mostly accurate at least in the bit of testing that I did).  I was able to recreate a lot of what he did on my lab network without much problems.

Update

It was brought to my attention after I posted this that many printers today now have wifi capabilities.  I totally forgot to address this, but it is a great point.  If the printer has wifi built in, you have to be able to turn it off, especially if this is connected to SIPR.  If you can’t turn off the wifi, get rid of the printer.