Skip to Content

Giving Hackers a Printed Invitation

Computer criminals may have a new target: the office printer.
January 21, 2011

Add one more device to the list of things you need to protect from hackers: The humble printer.

In two separate presentations scheduled for the Shmoocon hacking conference in Washington, D.C., next week, researchers will show how hackers can use printers to compromise a company’s computer network. One presentation will reveal how poorly secured printers can even be grouped together to act as online storage for cybercriminals.

Over the past decade, many ordinary office devices have gained surprising new functionality—nowadays, some printers can send and receive e-mails, and even browse the Web. But Deral Heiland, an independent security consultant who will give one of the presentations, says manufacturers haven’t given security nearly the attention it deserves in light of all the new features. “These devices have gone from being standard, simple printers that got on the network to the point where they are totally integrated in the business environment,” Heiland says. “And that heavy integration is what makes them a premium target.”

Heiland, who works as a “penetration tester,” or someone who attempts to hack in to a company’s network under controlled circumstances, was inspired to look for printer flaws and configuration issues.

At Shmoocon, Heiland will demonstrate a program called “Praeda” (Latin for plunder) that uses a collection of common security flaws and configurations issues—such as default passwords—to gain access to printers from outside a company’s network. Vulnerable printers can then be used to compromise the network. Once the tool gets inside the network, it can steal passwords and files, giving it even more access to servers and other devices.

Heiland says simple configuration issues often make printers vulnerable in this way. For example, many manufacturers do not force users to set a new password to access their device. That means many printers have default passwords that can easily be found in manuals posted online. In addition, printers that can be accessed via a Web browser often run insecure Web server software, allowing a knowledgeable attacker to find usernames and passwords.

“We have found out that with a lot of printers, that data is not obfuscated very well,” Heiland says. “Where it stores the username and password, we can go into the source and find a field with the information in plaintext.”

Mining printers for valuable information is likely to be used real attackers, says Steve Stasiukonis, managing partner with consultancy Secure Network Technologies (SNT), which also conduct penetration tests against firms. “We never leave any printer unturned,” he says. “There is enormous amount of wealth resident on those devices. There is data that sits inside the machine that is useful to us.”

Security issues with one brand of printer allowed Ben Smith, another independent researcher, to use the storage space on the devices to create a distributed cloud for storing files. Smith, who asked that the company who makes the printers concerned not be named, will present a program dubbed Print File System, or PrintFS, that automatically finds vulnerable printers via the Internet or in an internal network and turns them into a distributed storage network. The storage space could be used by hackers as a store for malicious programs or other material. Smith found that scanning the Internet for the communication ports used by printers turned up more than enough devices to create a large storage network.

“PrintFS scans all the devices and determines whether a given printer is capable of supporting storing data,” he says. “Depending on the devices, most of the time, you can find 20 to 30 unsecured devices [on a local network] and you can get a gig of storage to 30 gigs of storage.”

Heiland says that “even the printers you have at your house, these multifunction printers, have an ability to do a lot over the Web. They don’t integrate as much, but they can do remote printing and remote scanning.”

Both manufacturers and users should take a hard look at any network device, says SNT’s Stasiukonis. “If it carries an IP address on your network and it carries an interface on your network, then it should be looked at from a security standpoint,” he says.

Keep Reading

Most Popular

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

We reviewed three at-home covid tests. The results were mixed.

Over-the-counter coronavirus tests are finally available in the US. Some are more accurate and easier to use than others.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.