Master’s student Daniel O’Connor, conducting research for a thesis at Dublin City University, has discovered security flaws in printers that allow potentially sensitive documents to be read remotely by hackers.
The portal left open
Printers are often overlooked when IT security policies are put in place, and this can leave them open to exploitation. Network servers and PCs typically get the brunt of the security efforts, but modern printers have their own internal memory and an operating system, which makes them more like computers than conventional printers.
O’Connor’s work focussed on HP’s JetDirect printing technology that seems to be emerging as an industry standard. By default, these printers are not set with passwords so it is easy for an attacker to gain access.
O’Connor showed that it is possible to access a JetDirect printer’s control panel remotely with a web browser. A hacker could then “sniff” a document on its way to a printer over the business’s network and read it online.
Joining the network
It doesn’t stop there. O’Connor went on to show that an attacker could create a hidden directory on the printer where they could then store documents that had been intercepted, download them to another computer and then remove any traces of the breach.
The university hastens to add that the practical part of the project, proving these exploits could be carried out, was conducted on printers O’Connor had been given permission to test.
Message for administrators
“He wanted to see how easy it would be,” said Renaat Verbruggen, chair of the MSc in security and forensic computing in DCU’s school of computer science, who supervised Mr O’Connor’s research.
O’Connor’s thesis provides a number of options to make networked printers more secure, such as applying passwords for anyone who needs to administer the device, encrypting documents that are sent to the printer, and disabling the ability to download data from it.
“It’s a warning for network and printer administrators. They’re the people who have to fix it,” said Mr Verbruggen.