T 4.65 Inadequate protection of communication for printers and all-in-one devices

Unencrypted printer communication

Network printers are not usually controlled locally, but are controlled instead over a network connection. To control the printer, the printer driver of the corresponding local computer sends all information required directly to the printer or to a central printer server, which then transmits the information to the printer. These data transmissions are rarely encrypted.

No network separation

Security gateways between a LAN and the Internet are often configured in such a way that Internet access is enabled for entire subnets. At the same time, network printers are often assigned to the same subnet as the workstation PCs that print documents on these devices. This means it is also possible for the network printer to access the Internet. If the connections from the Internet to the printers are not rejected by the security gateways, sensitive information can be taken from the network without permission under some circumstances. The spectrum of information transmitted can range from error messages to statistics to entire documents. Detailed user profiles can even be created from the transmitted error messages and statistics. For example, the IP addresses can be used to determine the network structure.

Some manufacturers now send data for statistical and maintenance purposes directly from the printer to a server of the manufacturer. This is often not documented, and it may be impossible to determine what data were transmitted to the manufacturer.

In addition to the unwanted flow of information out of the LAN, a network-capable printer can also receive unwanted data from the Internet and possibly distribute this information. An example of this is malware that not only restricts the functionality of the device, but also infects other IT systems in the network. Malware may have entered the system from the Internet via compromised patches, for example. A network printer can therefore become an opening for attacks from the Internet under certain circumstances.

© Federal Office for Information Security. All rights reserved.