A new research paper looks at the security risks posed by the printers found in most offices and homes – and coins the term PrintJack to mean the hijacking of a printer by a threat actor.
The research paper outlines three types of attack that could leverage a compromised printer. The standard TCP/IP port used for connecting to printers in 9100 – and a search of the Shodan service reveals over 12,000 devices available on the internet on this port in the UK alone (Shodan search term: port:9100 country:”GB”). The three attack vectors to consider are:
Zombie printers used in botnets for DDoS
Internet connected printers could be compromised and incorporated into a botnet for use in a Distributed Denial of Service attack against targets within or outside the printer’s own network.
Printer Denial of Service
The printer itself could be rendered unusable either by sending specially crafted print jobs which put the printer into an infinite loop or print continuously until all the paper and toner is exhausted. In 2018 100,000 printers were hijacked to promote a YouTube channel in a publicity stunt.
Data breach and GDPR
Perhaps the most serious threat is the interception of the print jobs in a man-in-the-middle attack in order to extract the contents of the printed pages. In banks, insurance firms or health care settings, for example, the contents of printed forms will contain personal information that is protected under GDPR, yet the contents of print jobs are not encrypted or protected. A network sniffer that intercepted a print job on the local network would be able to extract all the text destined for the printed page relatively easily.
Many printers also incorporate local storage so print jobs can be buffered locally or re-printed from the control panel (after a paper jam for example). The contents of these stored jobs may also include confidential and private data which could be retrieved when the printer is disposed of or sent for repair. It is worth considering a sanitisation process for printers that mirrors the way disc drives and computers are data cleansed before they leave the business.