[German]Printers are widespread, even if the paperless office is the goal. Printers are networked, but rarely protected against attacks. People don't think the devices are really worth protecting. But in times of IoT and under the General Data Protection Regulation (GDPR), this can lead to significant problems and nasty surprises. Researchers from Italy have tackled the issue and found three attack possibilities at once, labeled Printjack, that can lead to security problems and GDPR violations for printers.
Advertising
In a paper titled You Overtrust Your Printer, Giampaolo Bella (Dipartimento di Matematica e Informatica, Universit`a di Catania, Italy) and Pietro Biondi (Istituto di Informatica e Telematica – Consiglio Nazionale delle Ricerche) describe the issues:
Printers are widely used devices whose networked use is highly unsecured, perhaps due to the deeply ingrained assumption that their services are negligible and therefore not worth protecting.
In the article, structured arguments are developed and technical experiments are conducted to support a qualitative risk assessment for printers. At the end of the experiments, it was determined that the assumption that printers as services are negligible and therefore not worth protecting cannot stand. The researchers found three ways of attacking printers that can be interpreted as postexploitation activities.
- Some printers can be afflicted with vulnerabilities that would turn them into exploitable zombies. Inclusion in botnets or use for crypto-money mining are conceivable.
- In addition, a large number of printers, at least at the EU level, have been found to accept unauthorized print requests. This allows attackers to access these printers from the outside.
- And third, there is also a considerable risk of data breach by maliciously intercepting data on its way to the printer.
The matter is discussed under the term printjack, and the conclusion of the article is that printers need to be just as secure in the new IoT era as other devices (such as laptops, for example, should be). One point is, to be able to comply with the requirements of the European General Data Protection Regulation (GDPR). (via)
