Daniel O' Connor, a Master's degree student at Dublin City University set out to determine just how easy it was to hack into printers to access sensitive information (read the original article here). When IT security is put in place, the focus tends to be on key components of the IT infrastructure like severs and PCs. Printers are often overlooked but have their own internal memory and operating system which makes them more like computers and, therefore, vulnerable to attack.
O' Connor’s thesis focussed on HP's JetDirect print technology but the findings have important implications for any organisation that operates network printers. Printers using JetDirect are not set with a password by default, making it easy for an attacker to gain access; for instance, O' Connor was able to access a JetDirect printer's control panel remotely using a web browser. Once access had been gained, he then showed it was possible to track documents being sent to the printer over the network and read its contents. It was also possible to create a hidden directory on the printer to store documents that had been printed, then download them and remove any traces that the printer had been compromised.
The thesis includes several options that IT administrators can employ to make printers more secure and we take a look below at what you can do to protect data sent to the printers on your network. You can also find more information on printer security here
- Overwrite the data on the hard drive. If your printer has a hard drive, it stores data every time you print, scan, fax or copy. When you dispose of the printer at the end of its life, overwrite the data on the hard drive – several times – to ensure that the data is unreadable. However, data can be stored on the drive (and accessed) at any time, so consider overwriting data immediately after a job has completed to protect individual jobs.
- Encrypt the printer's drive. If the data on your printer's drive is sensitive, it should be encrypted so that it can't be read even if the drive is removed from the printer. Some encryption protocols can be broken easily, so ensure that you're using one which is sufficiently robust.
- Print from memory. Printing from the device's RAM may slow down the print job but doesn't leave any data on the hard drive.
- Secure printing using passwords. Secure printing, a common feature on today's printers, allows you to send a job to the printer, then walk up to the control panel and enter a password to release the job. This eliminates the possibility of sensitive documents being left on the printer for anyone to see. Secure printing is also possible with smart-card readers, biometrics or a combination of all of the above, depending on the device. MFPs are particularly vulnerable to attack, so consider securing the copy, scan and fax functions too.
- Timeout the user. Look for a timeout feature which will automatically log out a user after a period of inactivity – useful when someone prints a sensitive job, then walks away from the printer having entered a password but forgetting to log out. You may also want to set a timeout for secure jobs, so they are cancelled and deleted if they’re not printed after a specified period of time.
- Turn off the reprint command. Or buy a printer which doesn't have a reprint feature.
- Scan encryption. MFPs can send scanned documents to a PC, internal FTP site or as an e-mail attachment; look for a feature which encrypts these documents so they can only be read by someone with a decryption code.
- Unauthorised copy control. Some printers will allow you to add a hidden security watermark to printed documents. The watermark doesn't show up on the original but will if the document is copied, which helps discourage unauthorised copying.
- Secure mailbox print. Some MFPs allow you to store print jobs or scanned documents that are used repeatedly in a "mailbox" on the printer's hard drive. You may want to consider requiring a password to store and/ or access documents in the mailbox.
- Fax and e-mail destinations. By defining a list of e-mail and fax destinations for a user to choose from and preventing users from adding addresses from the control panel, you can ensure that documents are only sent to designated safe destinations.
- Who sent the e-mail. Some MFPs will automatically send e-mails from the address of the person who's logged in to the printer so administrators can track who has sent which e-mail. It also stops people sending e-mails that appear to be from another user.
- Account tracking and activity logs. Account tracking features which are usually used for billing can also be used check who has printed, scanned, faxed, copied or e-mailed what, so administrators can spot whether users have been working with documents they shouldn't be.
- Virus protection. If your printer is using a Windows-type operating system, download any available security patches to ensure that your printer’s OS is as secure as possible.
Finally, one last word on printer security – passwords, passwords, passwords (ok, that's three – or rather, the same word three times). Seriously, this is something that nearly all electronic devices have and nearly all of us overlook. Everything from your mobile phone to your Sky+ box to your office printer has some kind of password protection built in but how many of us bother to activate it or change the password from the factory default? It usually takes just seconds and is an absolute must if you're even slightly worried about someone else accessing your information.
by Anthony Morgan