Now that more of us are working from home (WFH), one of the key technologies that can cause problems is surprisingly our networked printers. Hackers target these devices frequently, which is why many IT departments have taken steps to prevent home laptops from connecting to them. Here are some strategies to help you understand the potential threats and be able to print from home securely.
Networked printers carry a long legacy about being insecure devices. Back in the early 1990s, HP first came out with the first network print servers called JetDirect. This took the form of an internal circuit card that fit inside these early monochrome laser printers. Back in the day, these printers cost more than $2000, so there was a lot of motivation to share them, and only a few home computer users had them. This issue is old enough that we didn’t even use the term the Internet of Things (IoT) when these printers first began having security issues even though they were one of the first IoT instances.
Let’s move up the clock to 2003 when this post described a major vulnerability in the JetDirect administration software. The JetDirect software had two different interfaces: one was web-based and the other used Telnet, a command-line interface that predated the web by many years. The Telnet interface didn’t have any default password. Think this is prehistoric security? Think again: many of the common consumer network routers that are used today still come with blank default passwords, which is one of the reasons why the WannaCry attack was so successful.
So why are network printers still so insecure? Mainly, because we tend to forget about them once they are working. This 2016 post speaks to how easily printers on work networks can be compromised. To HP’s credit, they have been trying to improve their network security: five years ago they came out with printers that prevent tampering with the underlying BIOS settings and have built-in intrusion detection.
Since many of us began working remotely, security has become more of an issue. “We can no longer ensure the security of these endpoints,” says Cyberark’s EU director David Higgins, quoted in this ComputerWeekly piece from this past March. “We should assume endpoint devices are already compromised or soon will be. We have to enforce isolation to prevent such devices ever directly accessing critical assets.” While almost all articles on WFH recommend using Virtual Private Networks (VPNs), having a VPN connection will oftentimes preclude attaching to a home printer.
This is because your IT department is often concerned that having access to a home-based printer could likely be a way for attackers to gain access to the corporate network, particularly when it is connected via a VPN. Remember that a VPN just secures the point-to-point connection between your home and the office network. If an attacker has already compromised your computer, a VPN doesn’t stop them from inflicting further damage to other computers around the office.
In a recent survey, more than half of the respondents thought they could “get away with riskier behavior” when they were WFH and the same number will find workarounds if security policies stop them from doing their jobs. That is a sobering thought.
So armed with this history lesson, what can WFH employees do to make printing more secure? In our review of numerous WFH articles, very few of them address the remote printing issue head-on. Here are a few recommendations.
First, try to send documents to your office printer on the corporate network while connected to the VPN. This could be useful if you are intending to send these documents to your colleagues at the office. Also, use your VPN connection sparingly and be aware when you are connected with it and when you aren’t.
Second, avoid the “SaaS shuffle” of sending a document to your private Gmail or another cloud account, and then printing it from your home PC. That just circumvents the security checks that IT is using to track printed documents and it could expose private data too.
Next, your corporate network should be tracking remote printing and flag frequent users for further investigation. If your IT department can’t install endpoint protection software on personal laptops, this needs to be monitored using network-based tools.
Finally, if WFH becomes the new standard, look at one of the cloud printing services that can provide end-to-end encryption for your printing needs. Google had one such service, but it announced it will be shuttered at the end of the year.