1

I know printers are a security hole. I am trying to get the best setup to minimize risk.

Here's the risk that I am trying to mitigate : that an attacker remotely access the printer, and use it as a launchpad to infect other computers.

So I decided to do this:

  • do not setup access to wifi to the printer. Since I assume settings could be changed, I will not simply disable wifi, I will purchase a printer that does not have wifi capacity

  • among all the printers that work for my need, they all have ethernet capability. I am planning not to plug the ethernet capable, so I should be fine

  • However, all the printers I saw still had mobile printing capabilities (like airprint). This is most unfortunate, because even though they claim to NOT be wireless, they clearly are (airprint for example requires the printer to generate a local wireless network).

So I am trying to decide whether that's a security risk I can completely mitigate : if I purchase a printer with mobile printing capabilities, and I assume an attacker somehow revert my settings to disable this capability, what is the worse that can happen ? Via mobile printing, could they update the firmware of the printer ? Could they use it as a launchpad to infect other computers ? Or does mobile printing protocols strictly only allow sending a document for printing, and it cannot be misused?

DevShark
  • 331
  • 1
  • 10
  • Like any IoT situation, but the devices on a separate network and limit outgoing connections to approved destinations, which should only be the vendor site and ***perhaps*** some local printer server service, if applicable. that way, even if an attacker takes full control of the device, they can't do a thing with it – schroeder May 22 '20 at 12:23
  • If the mobile printing interface is vulnerable, then sure, anything is possible. We can't really determine much more than that. – multithr3at3d May 22 '20 at 13:04
  • @multithr3at3d ok, that's what I was wondering. I was hoping that the protocol would be so restrictive as to make me confident that it can't be hacked in a way that infects the printer with malware. But it sound that's not the case ? – DevShark May 22 '20 at 13:12
  • 1
    @DevShark I mean, I know nothing about the protocol. But even if the protocol is very restrictive in nature, the implementation could still contain vulnerabilities. Without analyzing the specific system, it's hard to know for sure. – multithr3at3d May 22 '20 at 17:22
  • Ok, that makes sense. – DevShark May 22 '20 at 18:15

1 Answers1

1

If you want to use your printer, you cannot mitigate all risks. Even if it is at this moment not possible to hack your specific printer, that does not mean that it won't be possible in the (even near) future. So you need permanent subscription to security/vulnerabilities reports.

What is the worst that can happen? According to Columbia PhD student Ang Cui and Professor Salvatore Stolfo (look them up with google), HP printers can set your house on fire. Or print illegal material (and report you to the cops). Oh, and maybe as a stepping stone.

I am often puzzled by the security needs of people that buy simple SOHO printers. They go far beyond the requirements that medical institutions, banks or even intelligence agencies have for their printers. I hope that someone will explain these extravagant security requirements.

If your security needs are so elaborate, you must look into specialized printing devices (with their price tag) or put them in a Faraday cage (Mu copper, soldered with a centimeter overlap). If you think that is too expensive, than you probably don't want to mitigate all the risks.

At the time of this writing, there do not seem to be any known hacks to mobile printing, other than those that allow printing (of possible "alternative" content).

Ljm Dullaart
  • 1,897
  • 4
  • 11