Strange as it may seem, your printer could be a gateway to hackers and become a back-door entry point for malware. And what's more, this was known over seven months ago and yet research to be published this week indicates that the vast majority of printers still remain vulnerable.
The story started last November with a proof-of-concept experiment carried out by two American academics, who hacked into a Hewlett-Packard laser printer via a bogus firmware update and installed malware that potentially could permanently damage the printer. The event was publicised, and the response from HP was to issue a deluge of official firmware updates that allegedly fixed some of the vulnerabilities.
Now, seven months later, the same academics have carried out a survey into the security of peripherals, and found that only 1-2% of HP laser printers had been updated to the more secure firmware versions, and even when they had, one in four was still using the default password settings for printer updates.
It seems likely that other brands of printer would show a similar vulnerability, since their operating systems are based on Linux routines that are commonly used. For example it is asserted that there are over 100 known vulnerabilities in the OpenSSL encryption protocols that could turn the printers into "reconnaissance devices that operate behind corporate firewalls, spread malware to internal systems, and even exfiltrate printed documents outside of a protected site". One of the potential key flaws that many modern laser printer possess, is that they can transmit and receive emails and other documents from cloud-based sources. So don't be surprised if you start to see "printer security" issues rising up the agenda of anti-malware companies, especially in corporate applications.
Meanwhile, you can read the background and recent results of internet sweeps for computer peripheral vulnerabilities in the paper: "A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan. Ang Cui and Salvatore J. Stolfo; Department of Computer Science, Columbia University"
Freely available on the site: http://ids.cs.columbia.edu/content/quantitative-analysis-insecurity-embedded-network-devices-results-wide-area-scan.html
