I’m quoting Office Space because you might just want to take a baseball bat to the nearest printer.
As is the case with most articles I see online, the headline is wildly exaggerated to get clicks, but the threat is real.
It boils down to two points.
- HP printers do not require code signing on firmware updates
- A firmware update can be remotely received as a print job
Add those things together, and you’ve got a situation where somebody who is able to send a print job to your printer could potentially rewrite the printer’s code. An attacker could then do all sorts of fun things, like put a telnet server on the printer so they can gain an entry point into your network, or email a copy of every print job to themselves.
Most environments have their printers on the internal network only, so that reduces the risk a bit. But threats can come from the inside. Imagine you hire a new intern who is secretly an employee of your competitor. That intern pushes a firmware update to the printer which emails copies of all print jobs to himself, or directly to the CEO of your competitor. Your business is now an open book to them.
You are also still vulnerable to outside attacks. Apart from those foolish enough to have their printers directly connected to the Internet, a local client could also be compromised by a rootkit or botnet and be remotely manipulated into performing the attack.
Printers aren’t usually considered when looking at an environment’s security posture. They are thought of as appliances that just spit out paper, but increasingly they are closer to little servers. They often run an SMTP service to send emails, they can store information about the users that utilize them, and some run an FTP server.
Sometimes this FTP server is not secured properly. The FTP bounce attack can allow attackers to scan your internal network through the ftp server, bypassing all of your security controls.
The link above is an older article by a British security company, but even though it’s three years old, how old is the printer in your office?
Printers are kept for a long time. Make sure they are patched just like any other server.