Is A Network Printer Increasing Your PCI Vulnerability?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

From a purely PCI perspective, network printers pose a network risk if they connect to any in-scope systems. At the least, your PCI penetration testing should identify any multi-function printers or scanners and make sure any usernames and passwords are protected. Such a printer should be treated like a server that contains sensitive data, because that's exactly what it is.

The problem with these multi-function printers is that—in some cases—they store credentials, including usernames and passwords, in cleartext. That is, this critical information is not securely stored on the device. That means a hacker can access the printer's address book to extract usernames and passwords. If one of these passwords is for a domain administrator, for example, the hacker can access potentially all other folders, files and servers in that domain. Imagine the cyberthief using these credentials to look at files with names like "payroll backup" or "corporate travel cards," and you begin to get the picture.

Has anyone ever installed a computer workstation and not connected it to a local or network printer? I doubt that has been the case very often, and it's likely the connection was made without much thought. But today's printers do much more than just print; they are multi-function machines that print, fax and scan documents, and then transmit them to addresses stored in their address books. These devices are usually networked (including wireless), and they may have access to the Internet, too. This practice exposes a potentially dangerous attack vector, whereby a hacker can gain access to domain credentials and other systems by compromising your networked printer.

Today's network printers are essentially full-function servers, lacking security features and with few options for hardening them.

The vulnerabilities I am talking about are not theoretical; they are real. Because I work for a security company, I get to spend time with some pretty smart white hat (i.e., good guy) hackers and penetration testers. One of my colleagues has looked at the most commonly installed printers and identified significant vulnerabilities that could lead to a data compromise.

The risks from networked printers are certainly not new, but the concern is typically centered on the documents stored in the device's extensive memory and the threat of compromise through physical access to the storage media.

Two things are different here.Two things are different here. Not only is this a proven attack that can uncover user credentials remotely, but it also can provide network access to other devices that may contain sensitive data. Beyond the cleartext usernames and passwords referenced above, there are other risks. If the attacker connects to the networked printer/copier/scanner in, say, a chargeback or card processing center, the thief could remotely order scans to capture documents left on the device. The attacker may be able to get away with this activity for long periods of time, because printers usually are not subject to the types of monitoring that would normally apply to other servers.

These attacks could be executed remotely, so the hacker never needs to expose himself. Furthermore, the attack does not require particularly sophisticated techniques. It is an old-school attack on a new-school device. In my colleague's experience, the attacks are about 90 percent successful. Too many people fall prey to a "set and forget" mentality when installing a printer—setting the password once and assuming the device is always doing everything right forever after.

IT departments can mitigate the risk of falling prey to this vulnerability in several ways. First, assume the devices are vulnerable and restrict access to them, and then segment them on their own network and protect them behind firewalls or other devices. Many companies take these precautions already, but many others allow the printers direct access to the Internet. This option makes them—and any system connected to them—particularly vulnerable, because anyone on the planet could access your unhardened network devices.

Ultimately, in the long term, it is up to the manufacturers to re-architect their products to protect the information. It also would be great if they could offer a way to retrofit additional security onto existing devices, so they at least did not store user credentials in cleartext. We can only hope that at least some manufacturers will see a marketing advantage and bring more secure devices to the market.

What do you think? Do you still think a paper jam is the biggest problem with your printer? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].