A MASTER’S degree student at Dublin City University has demonstrated security flaws in printers that make them accessible over the internet to unauthorised third parties and allows potentially sensitive documents to be read remotely.
Daniel O’Connor said that unlike PCs, printers are often overlooked when IT security policies are put in place, and this can leave them open to exploitation.
“There’s a bit of an urban myth out there that you can get at printers and he wanted to see how easy it would be to get at them,” said Renaat Verbruggen, chair of the MSc in security and forensic computing in DCU’s school of computer science, who supervised Mr O’Connor’s research.
The thesis focused on JetDirect printing technology that was developed by HP and is used by it and several other printer manufacturers. By default, these printers are not set with passwords so it is easy for an attacker to gain access.
Current printers have their own internal memory and an operating system that makes them more like computers. Mr O’Connor showed it was possible to access a JetDirect printer’s control panel remotely with a web browser.
A malicious user could then “sniff” traffic going to a printer over the network and be able to read the contents of a document.
The research also shows that an attacker could create a hidden directory on the printer where they could store documents that had been printed, download them and then remove any traces of the breach. The practical part of the project, to prove these exploits could be carried out, was conducted on printers Mr O’Connor had been given permission to test.
The thesis provides several easy options to make printers more secure, such as applying strong passwords for anyone who needs to administer the device, encrypting documents that are sent to the printer or disabling the ability to download data from it.
“It’s a warning for network and printer administrators. They’re the people who have to fix it,” said Mr Verbruggen.
Gary Tierney, country manager for HP’s printing and imaging group in Ireland, said the company has been drawing customers’ attention to printer security. HP is the largest printer manufacturer in the world by market share.
