CR Urges Companies to Improve Products to Protect Printer Security on Local Networks
While office printer security has been a topic of concern for businesses for years, consumers have had low awareness of the risks for individual use. Consumer Reports’ Digital Lab found unnecessary permissions, insecure protocols, and poor security design in all five brands of the 90+ models of small office/home office printers we tested recently.
Each printer requires some type of critical permissions on its mobile app, requesting location information, account management permissions or contacts. None of this access is necessary for core printer functionality.
Hewlett Packard (HP) printers’ Android app allows the printer to access user location in the background. Brother, Canon, Lexmark, and HP also access fine location data. Brother and Epson could manage accounts on behalf of users, and Brother could read the user’s contact list, as well. Users should make sure to turn those permissions off on their phones after setting up their printer under WiFi direct mode to reduce data exposure, or they could set up the printer in other modes and not make those permissions available at all.
Poor Configurations and Protocols
Over half of the printers we tested do not use HTTPS by default for their configuration pages, and many use self-signed certificates. For many printers, users are directed to port 80 (HTTP) by default, and self-signed certificates are used for HTTPS only after users opt in or get redirected to port 443. While some users are redirected to HTTPS, the printers have self-signed certificates for the HTTPS connection, which will bring up a warning page for most web browsers. Users will need to ignore the warning pages to get to the configuration page, which makes them more likely to do so in the future, putting them at risk of man-in-the-middle attacks.
Modern IoT devices should allow people to print with a user account, but for many printers, users need to run an administrator (root) account. This, again, puts users at risk of man-in-the-middle attacks between printers and their phone or laptop.
All printers we tested use the AppSocket protocol, which is unencrypted. AppSocket, which is also known as Port 9100, RAW, JetDirect or Windows TCPMon, is considered the fastest and easiest network protocol for printers, but it is not secure. Because printing jobs going through this protocol are unencrypted, a malicious actor on the local network could eavesdrop on or even alter these printing jobs.
Poor Authentication Rules
Consumer Reports recommends that device makers require two pieces of information for authentication and impose a strong password creation rule. We also recommend that device makers require that consumers use a physical button or PIN to set up the initial connection between a printer and any other device.
Though some printers we tested are better than others, all five of them require only a password for configuration. That means that any phones, tablets, desktop computers and laptop computers on the local network could print without any authentication. This leaves the printer susceptible to a denial-of-service attack.
Printers only requiring a password for configuration could also be discovered and accessed by attackers who are in the local network. Additionally, if a printer uses router forward ports to print to the WAN (wide area network) side, which is not tied to a single location, and if the printer is using a default or easy-to-guess password, a remote attacker could send printing jobs or even change the configuration of the printer.
To meet best practices for IoT devices, authentication should require at least two pieces of information. Additionally, the authentication mechanism of command execution doesn’t meet the zero trust requirements of IoT devices—an industry best practice that means no access is granted and no operation is executed without authenticating the user.
When reached for comment, a spokesperson for Brother said, “Brother recognizes the importance of preserving the security and privacy of our customers and partners. To reinforce our commitment to providing protections, we have a security testing process in place to ensure a safe customer experience. We remind all customers to follow security best practices, including updating their products regularly with the latest firmware to ensure they are protected from potential threats. For more information on our security and customer privacy practices, visit our Support page.”
A spokesperson for Canon said, “We currently provide guidance on our website to allow customers to make security settings robust. We understand the points made by Consumer Reports raised and are valuable for our future product development.”
A spokesperson for Hewlett Packard said, “We value the work Consumer Reports is doing to raise awareness around printer security. Nearly all of the security issues identified are industry-wide design challenges that have been addressed in our newer printer models or are requirements of devices (e.g., Android mobile phones) that HP does not control. We’re committed to evolving our existing and future products to be the most secure in the industry.”
After evaluating our findings, a spokesperson for Lexmark said that most of the points raised by CR are related to product configuration settings which is not a one-size-fits-all, cookie-cutter solution for customers, and that Lexmark provides documentation that will allow the consumer to configure their device in a way they deem appropriate. And while the company did not agree with all of CR’s recommendations, the spokesperson said they plan to evaluate several findings “against the need to provide the best possible out-of-the-box experience and product development roadmaps.”
Epson did not provide a comment.
While consumers are waiting for companies to create changes, there are a few things that can be done now. You’ll want to make sure that your router is configured properly so that your printer is on your home network rather than having port forwarding enabled (which allows computers or services outside of your network to connect to your printer). And if you let other people use your home WiFi, set up a guest network for them instead of letting them use the same network you do. Lastly, if you use the printer’s mobile application, check your phone’s settings to make sure permissions are off after you set up the printer. (For example, for an Android phone, check Settings > Apps & Notification > (Name of Printer App) > Permissions.