You Overtrust Your Printer

TL;DR

This paper highlights the significant security vulnerabilities of networked printers, demonstrating their potential to be exploited for attacks, data breaches, and as part of botnet-like threats, emphasizing the need for improved printer security.

Contribution

It introduces the Printjack family of attacks, revealing vulnerabilities and risks in printers that are often overlooked, and advocates for enhanced security measures in the IoT era.

Findings

Identified three new printer attack vectors (Printjack).

Many printers accept unauthenticated print requests, increasing attack risk.

Data interception during printing poses significant breach threats.

Abstract

Printers are common devices whose networked use is vastly unsecured, perhaps due to an enrooted assumption that their services are somewhat negligible and, as such, unworthy of protection. This article develops structured arguments and conducts technical experiments in support of a qualitative risk assessment exercise that ultimately undermines that assumption. Three attacks that can be interpreted as post-exploitation activity are found and discussed, forming what we term the Printjack family of attacks to printers. Some printers may suffer vulnerabilities that would transform them into exploitable zombies. Moreover, a large number of printers, at least on an EU basis, are found to honour unauthenticated printing requests, thus raising the risk level of an attack that sees the crooks exhaust the printing facilities of an institution. There is also a remarkable risk of data breach following an attack consisting in the malicious interception of data while in transit towards printers. Therefore, the newborn IoT era demands printers to be as secure as other devices such as laptops should be, also to facilitate compliance with the General Data Protection Regulation (EU Regulation 2016/679) and reduce the odds of its administrative fines.