There has been a significant increase in the number of cyber-attacks using printers as an intrusion vector, according to Paul McKiernan, print security advisor at HP Inc.
Speaking to SC Media UK at Infosecurity Europe 2017 yesterday (Wednesday 7 June) McKiernan said, “We are seeing more incidents reported to us this year than last year. Just last night in Denmark, a user noticed a memory corruption error. The device was not connect to a SIM and viewed by a SOC or it would have been seen instantaneously – nonetheless, the user spotted it and told the IT department.
“They were then able to execute their incident response plan, disconnect the device, go in and retrieve information and look at their monitoring to find where the attack had come from and shut down that attack vector. They've not got to the root cause yet. So the right thing was done but we need it automated. It's a large private Danish company that reported the attack at the close of business last night.”
McKiernan noted how the issue was increasingly appearing on a lot of organisations' radars, but that during InfoSec 2017 there had been visiting overseas ministers of defence on their stand who had been blissfully unaware that printers might be an attack vector, while a local transport organisation was clearly very aware – thus it was a very uneven pattern.
It was explained that printer security faces the same threat actors that may be targeting businesses generally, looking for the weakest link in their infrastructure – ingress or egress points or propagation nodes. Therefore McKiernan advised users not to think of printers as simply commoditised devices, with only the purchasing dept making decisions, but no CISOs input, and only looking at best prices; instead users should integrate their printers into mainstream cyber-security tools sensibly.
McKiernan notes that a lot of vulnerability scanning devices will not provide details on the biggest risks in print. To protect networks fully it is necessary to know the organisation's business process and workflow, including the weakest application talking to the printer.
“If you are not monitoring your printers, with a CIS log going to your to your SIEM, a hacker could execute malware on the printer and not on the computer which is monitored. It would wait until the document is printed – which is a stream of data that can carry malware instructions to deploy. One-time intrusion detection scans are needed for those type of things,” says McKiernan.
CISOs need to be aware that there is an ongoing growth in memory-based attacks. There have been reports in the media of printers with open internet connections – identified using Shodan, and publicised by Stackoverflow – which highlights the problem to both the potential victim and potential attacker.
Some view this action as a public service – though McKiernan noted, “We don't condone it” – but by sending messages to screens of 150,000 Open Internet users, with embedded code to send a screen message, using genuine functionality, awareness of the problem is growing.
As McKiernan observes, “It's amazing what a security incident will do for the perspective of company management.”