Is your printer spying on you?

Davey Winder
Wednesday, 30 September 2009 16:45

Your IT - Home IT

Probably the last thing you are worried about is someone hacking into your printer. After all why would anyone want to do that?

The why is easy, a networked printer is pretty much at the centre of a modern office environment. It will probably have a decent amount of on-board hard drive storage to keep document images. Documents that have been printed, scanned or even faxed. Documents that can contain highly sensitive corporate information.

The older your printer hardware, the less likely it is to have the kind of security functionality that comes as standard on the latest top-end devices. And that means the easier it will be for the bad guys to gain access to your data.

Still not taking this seriously? The IEEE is, and insists that networked printers and other 'hardcopy peripherals' such as photocopiers and multifunction devices, however, are vulnerable to attack and have the potential to compromise the most comprehensive of security protocols.

Indeed, so concerned is the technical professional association and standards developer that it has now approved IEEE 2600: the Standard for Information Technology - Hardcopy System and Device Security.

The IEEE Standards Association (IEEE-SA) states that the standard "defines security requirements (all aspects of security including but not limited to authentication, authorization, privacy, integrity, device management, physical security and information security) for manufacturers, users and others on the selection, installation, configuration and usage of hardcopy devices and systems; including printers, copiers, and multifunction devices".

Which means issues such as authentication, authorisation, data integrity and data privacy are all encompassed by the new standard. Prior to IEEE 2600, there simply were no standards available in order to guide manufacturers or users of hardcopy devices in the secure installation, configuration, or usage of their printers, apparently.

What's that? You are so laid back about your printer that, provided it actually works and prints stuff without problem you don't even update the drivers let alone get your knickers in a twist over theoretical security vulnerabilities?

Larry Kovnat, a product security manager with Xerox, thinks you are making a big mistake. He told Dark Reading that when it comes to printer security "You've got to treat them like another computer node and make sure you put the right controls on them".

Especially when proof-of-concept attacks such as the cross-sire printing one that can hack a printer after a visit to a website containing malicious JavaScript code have already been demonstrated.

Or how about the "Acoustic Side-Channel Attacks on Printers " paper which describes how dot-matrix printers can reveal what is being printed by reconstructing the text from a sound recording of it printing a
document?