Yes and No, but mainly….. No.
In the last few months our clients have been getting calls from Managed Print and Copier sales people suggesting that they could get “hacked” due to their printer and potentially being fined under the new Notifiable Data Breach (NDB) scheme. Whilst it is technically possible to “hack” into a printer and use that to pivot throughout a network, most of what they are saying is outright fear mongering.
But you just said you can hack a printer?
Yes, you can, but to actually achieve this, one of at least 3 things has to happen first.
- Your IT guy inadvertently allows your copier to be accessible from the public internet, with absolutely no security over it.
- Another device in your network gets compromised first so that cyber-criminals can then leverage that device to try and break into your printer.
- Someone has to come into your office and physically plug into the printer or your network and try and break into the printer.
#1. If this is a real possibility for you, you have much bigger problems afoot and have probably already been hacked.
#2. If an endpoint has been compromised due to malware, your network has probably already been compromised. Unless you’re running some secret agency, why would anyone waste time breaking into a printer when they already have a foot hold in the network and can steal the crown jewels anyway?
#3. If a cyber-attacker can get physical access to your office, couldn’t they just steal your computers? Maybe one of your staff probably left themselves logged in, allowing them to copy all the interesting files that way. And heck, why not flog that fancy TV and laptop whilst they’re at it?
The whole “hack a printer” thing is legit, but for other reasons. Unless you, your IT guy or your copier guy are diligently running firmware updates on your printer, it’s likely that it’s running old software (called firmware) on it which may be susceptible to vulnerabilities (bugs) which may let an attacker gain escalated privileges (admin access) on the device, and since most devices these days are just computers anyway, that device can run software kind of like an actual computer.
Manufacturers want to sell new products, and this means they are unlikely to continue providing software (firmware) updates to old devices. Once a device hits about 5 years or so it’s time to consider replacing it so that you continue to get support (and software updates) from the manufacturer. If your copier is 10 years old, sure, now might be a good time to replace it, but not because you need a cyber-secure one!
But the most critical aspect to all this is “Why would an attacker want to hack a printer”?????
The value of a benign device like a copier, IP camera, wireless access point, or any other network connected device, is that if you can gain access to it you can install a remote access trojan on it and use it to hide in the network, getting back into the network if your other footholds are removed, or to attack other devices in the network from.
So what should you do?
The Australian Signals Directorate publishes a list of “Strategies to Mitigate Cyber Security Incidents” as well as the shortened “Essential 8” list which the ASD suggest can mitigate against 85% of the cyber-attacks they are called in to investigate. Google “ASD Essential 8” to find it.
The Essential 8 are…
- Application Whitelisting – basically only allow good, known software to run on computers.
- Patch Applications – keep everything up to date.
- Disable Untrusted Microsoft Office Macros – as this is the current main vector for ransomware.
- User Application Hardening – remove software you don’t need or that is known to be susceptible to exploit like Java, Flash, web ads, etc.
- Restrict Administrative Privileges – no user should work as an admin account, admin accounts should be limited and only used when system admin tasks are required.
- Patch Operating Systems – keep your Windows or Mac system up to date.
- Multi-Factor Authentication – don’t rely on a username and password only to be secure, implement SMS, token, 2nd Factor Authentication (2FA) or biometrics to harden your security.
- Daily Backup of Important Data – the penultimate strategy …. BACKUP!
At no point does the ASD suggest that a cyber-secure printer would have stopped a cyber-attack, nor would it have prevented an incident that would fall under the Notifiable Data Breach (NDB) legislation. It’s not even listed in the full list of 25 top mitigation strategies.
90% of businesses we audit have not implemented the essential 8. If your business has, I’d love to hear from you, but if like the other 90% you’re only able to tick off 4 or 5 of the Essential 8, focus your attention there first before you get scared into buying or leasing a new copier 😉