Printers print. By definition, that is their function. Wads of printed paper, transparencies, continuous feed printouts, presentations stapled together, and so on. Many people are aware of the security risks of leaving printouts lying around, or throwing them out without shredding them. Thirty or forty years, tales of hackers going through refuse were rife. Now however, it is not the printout that is the security problem, but the printer itself. As the rest of IT has been getting smarter (meaning more processors, memory and software), so have printers. One problem is that we haven’t noticed it. Another one, it seems, is that vendors while ramping up printer intelligence have omitted to increase security accordingly.
Printers receive instructions from other devices about what to print. They receive information over a fast network link that they stock while the slower, mechanical printing process is accomplished. If a hacker can inject commands into printer or read the contents of its memory, the door is open to a host of alarming possibilities. Ethical hackers have demonstrated how they can install their own apps on a printer, for example to play popular video games on a printer’s LCD screen. Other examples have involved the detection of the printing of sensitive information such as tax return forms, to then siphon off data of interest and send it to another repository.
Vendors are waking up now. One large manufacturer (Hewlett-Packard) has recently announced a number of protective measures built into certain models to monitor possible intrusion and to check that only approved firmware is installed. While this may not sound like rocket science, it is a big step forward from the previous situation, in which printers took everything on trust and accepted every instruction without question. HP refutes the findings of researchers earlier who claimed they could burn paper by instructing the company’s laser printers to overheat their fusers (the element that binds toner to paper). But it’s good to know that even if it was possible in the past, such hacking should be more difficult in the future.