Your Printer Is a Security Risk. I'm Not Kidding.
Network printers have admin panels with default passwords, store copies of everything you print, and sit on your internal network with zero monitoring. They're the device nobody thinks about and attackers love.
#Nobody secures the printer. That's why attackers target it.
I bring up the printer in every assessment and people look at me like I'm wasting their time. It's a printer. It prints things. What's the security risk?
Let me count the ways.
Your printer has a web-based admin panel. Almost every network printer ships with an HTTP management interface. It's usually accessible to every device on the network. The default login is usually "admin" with no password, or "admin/admin," or printed on a sticker on the bottom of the device. Nobody changes it. Nobody thinks to.
Your printer stores copies of what you print. Many modern printers have internal hard drives or flash storage that cache print jobs. Legal documents. Medical records. Financial statements. Client contracts. All sitting on a hard drive inside the printer that nobody encrypts and nobody wipes when the printer gets replaced or returned to the lease company.
Your printer is on your network. The same network as your file server, your POS system, your workstations. It talks to every device that sends it a print job. If an attacker compromises the printer, they're on your internal network with a device that nobody monitors, nobody patches, and nobody suspects.
Your printer has firmware that hasn't been updated since it was installed. Printer firmware gets vulnerability patches just like any other software. HP, Canon, Brother, Epson, Lexmark all publish security advisories. Nobody reads them. Nobody applies them. The printer runs the same firmware it shipped with in 2021.
Your printer might be accessible from the internet. In many assessments, I've found printers with their management interface reachable from outside the network. Sometimes because the firewall rules are too broad. Sometimes because someone forwarded a port for "remote printing." Sometimes because the printer has Wi-Fi direct enabled and is broadcasting an open network.
#What an attacker does with a compromised printer.
Intercept print jobs. Redirect documents to an attacker-controlled destination while still printing normally so nobody notices.
Access stored documents. Read the print job cache for recently printed files. Legal briefs. Patient records. Tax returns. Whatever you printed last week.
Pivot to the network. Use the printer as a stepping stone to reach other devices on the same network segment. The printer has a trusted network position that most security tools ignore.
Modify printed documents. In theory, an attacker who controls the printer can alter documents as they're printed. Change an account number on an invoice. Modify terms in a contract. Subtle and devastating.
Use it for persistence. Printers run Linux or RTOS internally. An attacker who gets code execution on the printer has a persistent foothold that survives workstation reimaging, password resets, and most incident response procedures. Nobody checks the printer during incident response.
#What to do.
1. Change the admin password. Log into your printer's web management interface (usually the printer's IP address in a browser). Change the admin password to something strong and unique. Store it in your password manager. This takes 2 minutes per printer.
2. Disable features you don't use. Remote management? Off. FTP print? Off. SNMP with default community strings? Off. Wi-Fi Direct? Off unless you specifically need it. AirPrint is usually fine.
3. Put printers on their own VLAN. Just like guest Wi-Fi, printers should be on a separate network segment with firewall rules that only allow print traffic from authorized devices. Printers don't need to reach the internet, your database server, or anything other than the workstations that print to them.
4. Update printer firmware. Check your manufacturer's support page for security updates. HP, Canon, and Brother all publish regular firmware patches. Apply them.
5. Enable print job encryption if your printer supports it. This prevents print jobs from being intercepted in transit over the network.
6. Wipe or destroy printer hard drives when decommissioning a printer. If you're returning a leased printer, factory reset it first. If you're disposing of one, remove and destroy the hard drive. Your printed documents are on there.
7. Disable the web interface from outside your network. The printer's management panel should only be accessible from your internal network. Check your firewall rules.
#Further reading
- NIST: Securing Network Printers - security controls applicable to network devices
- HP Printer Security Advisories - firmware patches for HP printers
- Canon Security Advisories - Canon printer patches
- SANS: Securing Printers - printer security guidance
- Shodan - check if your printer is internet-exposed (search port 9100)