Another important finding shared from Blackhat Security Conference

LAS VEGAS—Printers have been part of the modern home and office for decades, despite numerous attempts to go “paperless.” But at the Black Hat conference here, Jens Müller of Ruhr University Bochum reminded attendees that just because something is ubiquitous doesn’t mean it should be trusted

Add the ability to access the printer via USB, local network, or over the internet, and you have the recipe for a devastating attack. In fact, security researchers have warned for years that connected devices like printers, routers, and even VoIP phones could be used as beachheads for an attacker. The phone might not be very useful for an attacker, but perhaps they could use it to pivot to your secure network.

Müller found enough within the humble printer to keep him busy without trying to escalate an attack. The problem, he said, are the printing protocols that translate the files on your computer into something the printer can put to paper. One such protocol—aptly named the Printer Job Language—was developed in the early 90s by HP, and it can make permanent changes to the printer, not just the current print job. Another, called PostScript, was developed by Adobe and was originally intended for document exchange. It’s been largely replaced by the PDF, but is still heavily used in laser printers.

“In the long-term actually we need to get rid of insecure printer languages,” said Müller, but that’s a long-term solution, he conceded.  In the short term, he advised sandboxing network printers into a separate VLAN that is only reachable through a hardened print server. Printer vendors need to “consider undoing some insecure decisions,” and browser vendors could block port 9100.