Patch your internet-connected printer! Serious vulnerabilities discovered

When you think of IoT chances are that you may picture all manner of gadgets and gizmos: ranging from smart doorbells which let you vet your visitors, to light bulbs which can change their hue with a simple click of an app, to hair straighteners that let you remotely control their temperature.

But there is some technology which has been connected to networks for many years longer, that many users may so comfortably view as “part of the furniture” that it can be easily forgotten that they are also part of the Internet of Things. Such as printers.

Printers, just like any other IoT-enabled device, need to be secured, and updated with the latest firmware and patches to prevent a successful hacker attack.

That’s the message which comes through loud and clear following the announcement by security researchers at NCC Group that they had uncovered multiple security holes in printers manufactured by HP, Ricoh, Xerox, Lexmark, Kyocera, and Brother.

The wide range of vulnerabilities could be exploited by malicious attackers to cause printers to crash, or – potentially more seriously – open backdoors to corporate networks, spy on print jobs, or even send sensitive printouts to unauthorised parties.

Specifically, NCC Group tested the HP Color LaserJet Pro MFP M281fdw, Ricoh SP C250DN, Xerox Phaser 3320, Brother HL-L8360CDW, Lexmark CX310DN, and the Kyocera Ecosys M5526cdw. But it’s possible similar vulnerabilities existed – or may even still exist – in other models.

Thankfully the researchers informed the printer manufacturers about the flaws, prompting them to produce security patches and firmware updates to secure the affected devices from further exploitation. But one has to wonder if the researchers had not investigated the flaws, whether they would have gone unnoticed by the good guys for years to come – and only perhaps uncovered by malicious hackers.

“Because printers have been around for so long, they’re not seen as enterprise IoT devices – but they’re embedded in corporate networks and therefore pose a significant risk,” Matt Lewis, research director at NCC Group, said in a press release announcing the findings. “Building security into the development lifecycle would mitigate most if not all of these vulnerabilities. It’s very important that manufacturers continue to invest in security for all devices, just as corporate IT teams should guard against IoT-related vulnerabilities with even small change: changing default settings, enforcing secure configuration guides and regularly updating firmware.”

The affected manufacturers have posted advisories about the vulnerabilities alongside links to their respective patches:

It’s not a new or trendy piece of advice but it’s as important now as it always was: keep your systems updated to protect against security vulnerabilities.

7 comments