Data Security: When did you last check your printers?

Most enterprises have suffered at least one data breach through their printers. Meanwhile, researchers have recently highlighted the fact that many 3D printers are routinely being exposed online without any adequate access controls.

Here’s the problem: too many of us overlook printers as dumb peripherals when in reality, they are anything but. Connected, ‘always on’ and a gateway to a mine of sensitive information, printers deserve the same level of protection as any other endpoint.

3D printers: what’s the problem?

If you work for a manufacturer, proprietary product blueprints will likely be among the most valuable files under your charge. Restricted access, 2FA, encryption in flight: when it comes to security, you’re going to make sure that these assets get the Rolls-Royce treatment (at least, most of the time).

But once this data is processed as part of the production process, it’s often a different story. For instance, researchers for the SANS Internet Storm Center (ISC) have recently highlighted how an absence of basic access restrictions means that data processed by 3D printers can be left wide open to exploitation.

The printers in question use the open source project, OctoPrint. This is a Web interface that enables users to monitor and control 3D print jobs from anywhere across their networks and keep a virtual eye on the printing process.

It seems that in many instances, OctoPrint is being deployed without any restrictions on access to this Web interface. A snapshot check picked up on a total of 3,749 publicly open interfaces connected to an online printer with an operational status.

The vulnerabilities:

  • With Octoprint, Files uploaded to the printer are in G-code, a simple unencrypted script used to issue production instructions for the 3D production process.
  • When exposed via the open interface, it becomes possible to upload these G-code files and print them (easy and effective IP theft for anyone with access to a 3D printer!).
  • This also provides scope for malicious tampering, including downloading, altering and then re-uploading the print file to materially alter the physical makeup of the end product. There’s also the possibility of delivering deliberately destructive code with a view to wrecking the actual printer.

The fix:

  • When using a print tool, never assume that access controls are enabled by default. You’ll almost certainly need to activate them.
  • If you plan to make your print tool accessible online, consider carefully who has access to the print files and all other data. Only authenticated users with the appropriate level of privilege should be given this access.
  • Access controls should be set at administrator level and should not be capable of being overridden by other users.
  • If your access controls are fit for purpose, it should not be possible for anonymous, non-authenticated users to access those parts of the interface that enable your project files to be viewed or otherwise accessed.

Some wider issues with printers…

When Quocirca surveyed 200 enterprises across the US and Europe, it found that 61% had suffered at least one data breach through insecure printers. Risks include the following:

Printed documents left exposed in print trays. From documents being married to the wrong physical file, through to poor document disposal practices, this presents a clear risk of data ending up in the wrong hands. And when it comes to personal data, this can be an easy way of getting on the wrong side of the Regulator (remember that GDPR is as much concerned with physical data as digital!).

Unauthorised access to files stored on the printer hard drive. Just because your printer happens to have local storage capabilities, that’s no reason to make full use of it. If there is no clear business case for data being stored at a particular endpoint, then don’t do it.

Network vulnerabilities. The UK’s NCSC cites instances of printers being remotely disabled for ransom, accessing exposed printers for destructive purposes and pausing the print queue with a view to extracting data.

Staying safe…

Always make sure that printers are included in your asset inventory and that they are subject to your wider security policy.

Look carefully at controls to limit network access, to ensure that the risks of external exploitation are minimised (e.g. automatic patch management) and that the data stored on it is secured (e.g. via hard disc encryption).

This goes for decommissioning, too: (did you deploy an overwrite kit on the drive before you disposed of that old printer?).

The answer, of course, is to ensure that printers are treated in the same way as all other connected devices that make up your IT architecture.

CATEGORIES
  • fernando says:

    great article. I had heard of these vulnerabilities but, it was kind of “windy” now I understood and I will dig deep. Thanks and greetings.

    • Jay King says:

      I’ve always thought of printers be in a security vulnerability. The first time I found out many years ago that a printer has a hard drive and remembers what copied print it etc, I knew it was very dangerous.

      Now printers are on line is even worse because anything that the printer does in the business is accessible by all possible threats

  • Hammad says:

    Thanks for the information, this type of valuable information is great to come via this channel.

  • Star says:

    Thanks for bringing awareness to us about these vulnerabilities, great information.
    *

  • Zorildo Rodrigues says:

    Excellent printers security information. Thanks Nathan

  • Daniel Glaser says:

    Wow. The company I’m working for now doesn’t save to printers, but the local library got hit in their 3D printers recently. This information is really good to know.

  • Thomas Arillotta says:

    Great article. It had never entered my mind that (being a newbie in Cyber Security) 3-D printers come into the equation. Now I know!

  • Nana Peprah says:

    Great article thanks for keeping us well informed. Are there any websites you could recommend that have great articles for people like me/us that are interested in getting into network security?

  • Sushil says:

    Awesome article, as I am a cybersecurity training I am well aware of these technical terms. And, I appreciate that you have taken the initiative to make other people aware of these vulnerabilities.

  • Jay King says:

    Wonderful Detailed Information. I cringe when I think about how many security experts do not know this information.

  • Cyber Security Training in Jaipur says:

    Great post!!! I am also searching this kind of informative post

  • lillywillams says:

    Great information !

  • Alishia says:

    Researchers have also proposed various ways to test 3D models during printing or after printing in order to check whether there are any malicious modifications.

  • >