Printers can pose security risk
In the office or at home, printers are rarely given any thought as long as they can convert digital documents into physical papers. As they have become connected and integrate with other devices on the network, printers are no longer just a fixture, but a node that can be exploited to access confidential data or used as a jump-off point to another system.
To minimize security risks, HP started a bug bounty program for some of its printers. The company works with Bugcrowd – a crowdsourced security platform – to handle the vulnerability disclosures and hand out rewards as high as $10.000, depending on the severity of the bug. Payments are given even for reporting security issues already discovered by HP itself.
Printers are well known as a weak link on the network, mostly because owners fail to configure them properly. Over the course of one month earlier this year, Bitdefender BOX 2 reported that half of the devices it identified as printers were protected by an easy-to-break password. Such negligence is an invitation for hackers to try to take control of the printing job or the document queue.
Swapping the factory access credentials for strong, unique ones should be an essential step when setting up your printer; and so should be shielding it from access over the internet, unless you really need it. This is a security measure that depends entirely on the user.
Two years ago, a hacker commanded thousands of printers to spew out racist fliers. Five lines of code delivered through a port that should not have been reachable over the internet made this possible. The experiment saw the offensive messages reach universities and colleges all over the United States.
A year later, another hacker, by the moniker Stackoverflowin, pulled a world-wide joke that had more than 150,000 printers inform their owners their devices were part of a “flaming botnet.” Models from multiple brands responded to the commands of the hacker, who claims to also have exploited bugs in Xerox products printers to take control of more printing devices.
The aim of the bug-bounty program is to strengthen HP’s products at the firmware level and remove the possibility of cross-site scripting (XSS), remote code execution (RCE) and cross-site request forgery (CSRF). In the long run, code that is more resilient to attacks translates into multiple advantages, including consolidation on the market and delivering better products to other customer segments.
The printers of today come with more processing power than ever. They are part of the Internet-of-Things world, integrating perfectly on the local network, and can receive print jobs from portable devices either through direct wireless connection or over the network. This makes them as attractive a target as any other smart device, so they deserve proper protection.
Image credit: jarmolukbug bounty Bugcrowd HP printer vulnerability vulnerability disclosure