On March 24th of this year, 59 printers at Northeastern University in Boston suddenly output white supremacist hate literature, part of a wave of spammed printer incidents reported at Northeastern and on at least a half dozen other campuses.
This should be no surprise to anyone who understands today's printer technology. Enterprise-class printers have evolved into powerful, networked devices with the same vulnerabilities as anything else on the network. But since, unlike with personal computers, no one sits in front of them all day, the risks they introduce are too often overlooked.
"Many printers still have default passwords, or no passwords at all, or ten are using the same password," says Michael Howard, HP's chief security advisor, speaking of what he's seen in the field. "A printer without password protection is a goldmine for a hacker. One of the breaches we often see is a man-in-the-middle attack, where they take over a printer and divert [incoming documents] to a laptop before they are printed. They can see everything the CEO is printing. So you must encrypt."
As for the Northeastern incident, "They were all printers outside central IT control, purchased with departmental funds," notes Mark Nardone, the university's chief information security officer. "We expect the departments to comply with security recommendations but do not have the resources to verify." Using one or more search engines, the attacker located unsecured printer ports and then sent each a PDF file and a print command, he says. The attacker printed one copy on each machine but could just as easily have printed thousands, Nardone adds.
To continue reading this article register now