Most enterprises have suffered at least one data breach through their printers. Meanwhile, researchers have recently highlighted the fact that many 3D printers are routinely being exposed online without any adequate access controls.
Here’s the problem: too many of us overlook printers as dumb peripherals when in reality, they are anything but. Connected, ‘always on’ and a gateway to a mine of sensitive information, printers deserve the same level of protection as any other endpoint.
3D printers: what’s the problem?
If you work for a manufacturer, proprietary product blueprints will likely be among the most valuable files under your charge. Restricted access, 2FA, encryption in flight: when it comes to security, you’re going to make sure that these assets get the Rolls-Royce treatment (at least, most of the time).
But once this data is processed as part of the production process, it’s often a different story. For instance, researchers for the SANS Internet Storm Center (ISC) have recently highlighted how an absence of basic access restrictions means that data processed by 3D printers can be left wide open to exploitation.
The printers in question use the open source project, OctoPrint. This is a Web interface that enables users to monitor and control 3D print jobs from anywhere across their networks and keep a virtual eye on the printing process.
It seems that in many instances, OctoPrint is being deployed without any restrictions on access to this Web interface. A snapshot check picked up on a total of 3,749 publicly open interfaces connected to an online printer with an operational status.
Some wider issues with printers…
When Quocirca surveyed 200 enterprises across the US and Europe, it found that 61% had suffered at least one data breach through insecure printers. Risks include the following:
Printed documents left exposed in print trays. From documents being married to the wrong physical file, through to poor document disposal practices, this presents a clear risk of data ending up in the wrong hands. And when it comes to personal data, this can be an easy way of getting on the wrong side of the Regulator (remember that GDPR is as much concerned with physical data as digital!).
Unauthorised access to files stored on the printer hard drive. Just because your printer happens to have local storage capabilities, that’s no reason to make full use of it. If there is no clear business case for data being stored at a particular endpoint, then don’t do it.
Network vulnerabilities. The UK’s NCSC cites instances of printers being remotely disabled for ransom, accessing exposed printers for destructive purposes and pausing the print queue with a view to extracting data.
Always make sure that printers are included in your asset inventory and that they are subject to your wider security policy.
Look carefully at controls to limit network access, to ensure that the risks of external exploitation are minimised (e.g. automatic patch management) and that the data stored on it is secured (e.g. via hard disc encryption).
This goes for decommissioning, too: (did you deploy an overwrite kit on the drive before you disposed of that old printer?).
The answer, of course, is to ensure that printers are treated in the same way as all other connected devices that make up your IT architecture.