FR Design - stock.adobe.com
NCC Group warns of security risks of leading printers
Researchers uncover more than 35 vulnerabilities in six leading enterprise printers, many of which could allow access to corporate networks, underlining the need to counter security risks of embedded systems
Researchers at NCC Group have uncovered “significant vulnerabilities” in six commonly used enterprise printers, highlighting the vast attack surface of printers and other internet-connected devices and the need to keep systems patched up to date.
Testing mid-range enterprise printers manufactured by HP, Ricoh, Xerox, Lexmark, Kyocera and Brother, uncovered a wide range of vulnerability types using basic tools, with some vulnerabilities being uncovered in minutes, the researchers said.
The testing included web applications, web services, firmware and update capability, as well as carrying out hardware analysis.
The potential consequences of exploiting the vulnerabilities include denial of service attacks that could crash printers, the ability to add backdoors into printers to maintain attacker persistence on a network, the ability to spy on every print job sent to vulnerable printers, and the ability to forward them to an external internet-based attacker.
All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.
“Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks, and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT,” said Matt Lewis, research director at NCC Group.
“Building security into the development lifecycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cyber security, including secure development training and carrying out thorough security assessments of all devices.
“Corporate IT teams can also make small changes to safeguard their organisation from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides and regularly updating firmware.”
The printers tested by the researchers are: HP Color LastJet Pro MFP M281fdw; Ricoh SP C250DN; Xerox Phaser 3320; Brother HL-L8360CDW; Lexmark CX310DN; and Kyocera Ecosys M5526cdw.
The vulnerabilties in HP printers include buffer overflows, cross-site scripting (XSS) vulnerabilities and cross-site forgery countermeasures bypass.
HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. "HP encourages customers to keep their systems updated to protect against vulnerabilities," the company said in a statement.
The vulnerabilities in Lexmark printers include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures and lack of account lockout.
The vulnerabilities in Kyocera printers include buffer overflows, broken access controls, cross-site scripting vulnerabilities and lack of cross-site request forgery countermeasures.
The vulnerabilities in Brother printers include stack buffer overflows, heap overflows and information disclosure vulnerabilities.
The vulnerabilities in Ricoh printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures and hardcoded credentials.
The vulnerabilities in Xerox printers include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures and lack of account lockout.
Read more about IoT security
- The IoT Security Foundation has published a guide on security for smart buildings to highlight key issues and gather feedback to inform future guidance for industry stakeholders
- The UK plans to introduce measures to require that basic cyber security features are built into internet-connected devices.
- IoT researcher says unconfigured internet-connected devices are a largely unrecognised cyber security risk to businesses and consumers, and welcomes the increased likelihood of UK IoT legislation.
- UK firms have one of the lowest internet-of-things device breach detection capabilities in Europe, a study reveals.