Removing the jam in your printer security

Removing the jam in your printer security

Printers are an important, invisible—albeit sometimes loud—component of the office. But all too often they’re filled with mystery meat icons, peculiar blinking lights, or error messages with no instruction manual to hand. No problem, you can just print at the next station!

Wrong. Printers also operate online across multiple aspects of your network. So not only are you stopped from printing that healthcare policy form you had to sign, but now you have to wonder: what else may have been intercepted?

This frustration with basic printer/hybrid device operations usually spills over into the workplace with detrimental results. When basic functionality remains a mystery, it can cause plenty of issues elsewhere. In an age of hackable online toasters and home security systems keeping people out of their homes during maintenance, it’s no wonder we forget some of the more mundane perils sitting closer to home.

But wait…printers?!

Don’t think that printers just come out of the box fully secured and ready to roll. You’re probably going to have to do some configuring, both for the printer and any devices that make use of it. Not to mention, there’s physical security to consider, too.

There are a number of ways printers can cause problems for security, and in a few cases they don’t even need to be online. Roughly 80 percent of US offices are open floor plan now, and more often than not, printers and their contents are left lying around for all to access. Something as basic as a poorly-implemented office layout could cause issues by essentially giving dozens of employees physical access to sensitive documents—and that’s just one of the perils to consider.

Outside of physical access, there are also network vulnerabilities that an admin will need to be sure to update and run all patches for. In addition, accidental or purposeful leaks of scanned or printed documents are an area of concern for highly-sensitive content, such as paychecks, or valuable proprietary information of high-profile targets.

You may not have even considered your printer to be a security issue up to this point, but we’re not making this up. Default settings allowed this printer to potentially serve as anonymous file storage for malicious use. Elsewhere, 150,000 printers worldwide were compromised to “raise awareness of exposed printers.” Got a printer with extras like the ability to fax and turn back the clock to 1991? Whoops, a malicious fax helps take over a PC.

If this is all horribly new to you, don’t worry. We’ll lead you through some of the most common security flash points for printers and hopefully point you in the right direction. 

Physical security: for your convenience?

The whole point of a printer in the office is that anyone can use it, no matter which floor they’re located on, or even if they work from home. It’s not exactly uncommon for someone being the sole person responsible for printing a document that somebody a few hundred miles away needs to receive. But how can you guarantee the correct recipient is standing in front of the tray when the document leaves the device? And what can you do to ensure the data is securely encrypted while it travels inside your network?

The good news is, a lot of this functionality is now built into modern printers so you can plan accordingly. Many models offer various levels of physical security to accommodate your requirements.

For example, you may want a secure lock on your paper tray if the paper inside is to be used for something business critical. Or how about a variety of watermark-style patterns appearing when unauthorised printing occurs? 

Some manufacturers offer up secure pull printing, where the documents won’t be released from the printer queue without the correct recipient presenting a PIN, or an ID card, or even a QR code. This means no sensitive documents lying around in a tray for anyone to pick up, and—bonus—it even helps the environment by not spilling wasted paper all over the place.

Manufacturers might also provide encryption for wherever the document is stored in the print queue, whether on site or in the cloud, and offer encryption for every step of the document’s journey across the network.

With these types of processes in place, you may not need to worry about additional security measures of a slightly less hi-tech variety. These may include:

  • Making staff top up ID cards with “printing funds” to ensure lack of paper waste and rogue prints lying all over the place
  • Installing the printer in a secure, lockable room with CCTV
  • Restricted access to certain types of paper used for money wires or billing/expense claims

If you’re stuck with a printer model that doesn’t do most or all of the above, these are the backup measures you’ll want to keep in mind.


Locking down digital files and network authentication

You won’t find many printers lacking the ability to scan, and while locked-down print jobs are all well and good, there’s an obvious risk from paper files becoming digital ones, which could then be sent to all and sundry.

This is why some devices offer services such as locking down PDF scans, which usually involves automatically placing a password onto the file: to open it, you’ll need to have authorisation to receive the password in the first place. Others will even encrypt the scan, adding to a general overall sense of “This probably won’t end up on eBay.” If you need a device to allow some forms of protocol but deny others, or operate within certain network security policies, there are some that can potentially do that too (browse to Section 3).

At the top end of printing hardware, the devices can do everything from ensuring BIOS integrity and whitelisting to running real-time intrusion protection. This is quite a way off from me feeling reasonably accomplished when freeing up my tenth paper jam of the day, but the increased complexity in device security is definitely worth it for organisations in need of paper trails, auditing, and locking down every last inch of their potential attack surface.

Memory retention: all in the mind

Modern printers tend to have a bit of storage space rattling around in their plastic casing, alongside support for USB sticks and memory cards. The good news is, the bulk of it is temporary and is supposed to vanish in a puff of smoke (hopefully not literal smoke, or you have a whole new set of problems to worry about) when you unplug the device.

Even so, if you’re going to dispose of a printer, you’ll want to make sure you’ve done a few things. First: remove all external storage such as USB sticks and memory cards. After that, check the manual and see exactly what kind of storage is included in the hardware and how you wipe it. The chances of anyone coming across your old printer and trying to reconstruct or extract content from it is extremely remote, so this is an absolute last step.

10 percent ink remaining

There’s a lot to think about where printer security is concerned, along with a few special considerations. The near endless stream of people having to use a handful of devices across an organisation on a daily basis is unique, and presents additional worries where social engineering and insider threats are concerned. Some of the more rock solid security solutions for printers can be rather expensive, and not everyone has a budget to accommodate those kinds of purchasing decisions.

Having said that, even if you can’t drag the latest and greatest technology into the office, you can certainly come up with a few Plan B’s like some of those listed up above. Once you realise how vulnerable an insecure printer on the network can be, something is most definitely better than nothing.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.