Data Security: When did you last check your printers?

Most enterprises have suffered at least one data breach through their printers. Meanwhile, researchers have recently highlighted the fact that many 3D printers are routinely being exposed online without any adequate access controls.

Here’s the problem: too many of us overlook printers as dumb peripherals when in reality, they are anything but. Connected, ‘always on’ and a gateway to a mine of sensitive information, printers deserve the same level of protection as any other endpoint.

3D printers: what’s the problem?

If you work for a manufacturer, proprietary product blueprints will likely be among the most valuable files under your charge. Restricted access, 2FA, encryption in flight: when it comes to security, you’re going to make sure that these assets get the Rolls-Royce treatment (at least, most of the time).

But once this data is processed as part of the production process, it’s often a different story. For instance, researchers for the SANS Internet Storm Center (ISC) have recently highlighted how an absence of basic access restrictions means that data processed by 3D printers can be left wide open to exploitation.

The printers in question use the open source project, OctoPrint. This is a Web interface that enables users to monitor and control 3D print jobs from anywhere across their networks and keep a virtual eye on the printing process.

It seems that in many instances, OctoPrint is being deployed without any restrictions on access to this Web interface. A snapshot check picked up on a total of 3,749 publicly open interfaces connected to an online printer with an operational status.

The vulnerabilities:

• With Octoprint, Files uploaded to the printer are in G-code, a simple unencrypted script used to issue production instructions for the 3D production process.
• When exposed via the open interface, it becomes possible to upload these G-code files and print them (easy and effective IP theft for anyone with access to a 3D printer!).
• This also provides scope for malicious tampering, including downloading, altering and then re-uploading the print file to materially alter the physical makeup of the end product. There’s also the possibility of delivering deliberately destructive code with a view to wrecking the actual printer.

The fix:

• When using a print tool, never assume that access controls are enabled by default. You’ll almost certainly need to activate them.
• If you plan to make your print tool accessible online, consider carefully who has access to the print files and all other data. Only authenticated users with the appropriate level of privilege should be given this access.
• Access controls should be set at administrator level and should not be capable of being overridden by other users.
• If your access controls are fit for purpose, it should not be possible for anonymous, non-authenticated users to access those parts of the interface that enable your project files to be viewed or otherwise accessed.

Some wider issues with printers…

When Quocirca surveyed 200 enterprises across the US and Europe, it found that 61% had suffered at least one data breach through insecure printers. Risks include the following:

Printed documents left exposed in print trays. From documents being married to the wrong physical file, through to poor document disposal practices, this presents a clear risk of data ending up in the wrong hands. And when it comes to personal data, this can be an easy way of getting on the wrong side of the Regulator (remember that GDPR is as much concerned with physical data as digital!).

Unauthorised access to files stored on the printer hard drive. Just because your printer happens to have local storage capabilities, that’s no reason to make full use of it. If there is no clear business case for data being stored at a particular endpoint, then don’t do it.

Network vulnerabilities. The UK’s NCSC cites instances of printers being remotely disabled for ransom, accessing exposed printers for destructive purposes and pausing the print queue with a view to extracting data.

Staying safe…

Always make sure that printers are included in your asset inventory and that they are subject to your wider security policy.

Look carefully at controls to limit network access, to ensure that the risks of external exploitation are minimised (e.g. automatic patch management) and that the data stored on it is secured (e.g. via hard disc encryption).

This goes for decommissioning, too: (did you deploy an overwrite kit on the drive before you disposed of that old printer?).

The answer, of course, is to ensure that printers are treated in the same way as all other connected devices that make up your IT architecture.