Home office printers have had a comeback thanks to the lockdown-induced switch to home working. These low cost, small printers have been incredibly useful in managing the transition to working at home. However new consumer tests by Euroconsumers’ member organisations and Consumer Reports  have raised the alarm on security flaws in the printers –  showing yet again the risks consumers face everyday from the Internet of Things ( IoT).

What makes home printers risky?

Home printers are connected to the home wifi network and use a mobile app to manage functionality and subscriptions for billing etc. All of this involves accessing and exchanging data.  Wherever there is data exchange across networks there are security and privacy risks.

Businesses have long been aware of data breaches via printer networks at the enterprise level, and many have strategies to manage risk. However, understandably, it’s not something high on the agenda of a home user although the same dangers apply. Risks include exposing devices to malicious actors so devices are disabled or misused, or personal data being exposed and shared with unauthorised parties.

Excess data collection

To understand this more, US consumer organisation Consumer Reports tested five major home connected printer brands on sale – Brother, Canon, Lexmark, Epson and HP.

Each printer required some type of critical permissions on its mobile app, requesting location information, account management permissions or contacts. None of which is necessary for core printer functionality.

“Consumers understand that some connectivity is needed to link up their printer, but why does it need to access your contacts or need to know precise locations? Companies should work with consumers to build trust and help innovation instead of pushing people to share much more data than they need to”  

Els Bruggeman, Head of Policy and Enforcement at Euroconsumers.

More security flaws

When they looked deeper into the security design of all the printers, they discovered more major security loopholes:

• Weak password security rules: properly authenticating users helps ensure it is the owner who is accessing the printer application and network. Two factor authentication is safest, but all five of the printers tested required only a single password, and some not even a username. Weak password creation rules add to the risk as consumers may veer towards easily guessable passwords. This means that any phones, tablets, desktop computers and laptop computers on the local network can access it without any authentication checks. This loophole leaves the printer susceptible to a denial-of-service attack. There is an additional risk for printers with poor authentication rules that support PCL and PostScript (printer control languages) as this allows the hacker to access the printer’s file system, cached documents and access memory.
• Poor configuration options: over half of the printers did not use the secure ‘HTTPS’ by default for their configuration pages. They are instead directed to the less secure HTTP by default which increases the risk of sensitive information getting leaked. The result of this is that to reach the configuration pages and set up an HTTPS, users need to click through security warnings.  The longer term upshot of this is that consumers may get used to ignoring important security warnings and do so more often in the future – again heightening the susceptibility to attack.
• Protocol problems: all the tested printers used the AppSocket protocol which while simple and fast and widely used in printers, does not support encryption or other security features. As printing jobs going through this protocol are unencrypted, a malicious actor on the local network could eavesdrop on or even alter these printing jobs.

In light of these findings, the testing team contacted the manufacturers of the tested brands, and various assurances were given by the manufacturers who replied that they were ‘working on solutions’.

Hackable printers bring business risks into the home office

Unfortunately, we know that these findings are not limited to printers. Euroconsumers’ 2021 Hackable Home testing programme found multiple security vulnerabilities in common smart consumer devices like locks, alarm systems, baby monitors, doorbells and WiFi routers. With the rise of home working, a new category of risks emerges as workplace documents, employee data or sensitive commercial information is carried through home networks and printers.

Global Challenges of IOT Security

This latest research confirms the global IoT security challenge faced by consumers, companies and networks. While consumers may not think of themselves as part of the ‘internet of things’, the lack of basic security requirements for common devices puts them at risk of hacks and data losses.  Just last month, Euroconsumers supported a new call from consumer groups, industry and ethical hackers calling for worldwide commitment to standards on IoT security.

Improving security will grow trust and help the potential of connected devices to flourish. Raising consumer awareness of settings and configurations is important but they should be able to rely on baseline security features in any IoT product they use. It is surprising that given the maturity of the consumer IoT market, time and again we find that major brands are not delivering even basic security. There’s an obvious opportunity here to demonstrate to consumers leadership in IoT security.

Euroconsumers will continue to work with Consumer Reports, and multistakeholder collaborations across the world, as well as influencing policy to ensure that consumer IoT is more secure.