Security Loophole: How a Print Feature Can Hack Password Managers

A rarely-used password manager feature poses a considerable risk for companies, organizations and authorities, including GDPR-reportable incidents.

Password managers hack themselves – by something as easily as a print job

IT security measures are only as good as the humans who use them, so when data, apps and programs are handled carelessly or negligently, they offer very little help. Apart from technology, the human factor in IT security remains a really crucial factor. Security threats have long since been caused not just by external attacks, but also, whether deliberate or indeliberate, by employees themselves.

Passwords are a perfect example in this area. Designed to protect sensitive data and control access, their misuse proves security-critical instead. Today, every organization deals with the problem of the correct use of passwords. More and more complexity, regular changes and secrecy have become annoying, yet necessary side effects. And even though the goal is usually single sign-on with preferably two-factor authentication, many systems and services are still not compatible.

Password manager tools which manage various services and access with a master password, are a sensible addition to any security strategy. There are a number of reasons for this – users only have to remember one master password and not all individual passwords, time is therefore saved when logging in, a protected overview of all passwords used is possible at any time and access is often possible via several devices. Since the individual passwords do not have to be entered manually every time, they can be very strong. “Password”, “123456”, “Admin”, or post-it notes under the keyboard or even complete password collections in the corporate file system are no longer required. The risk posed by a potential attacker who has to crack a master password instead of a series of passwords is minimized by extensive security measures such as the master password, encryption or two-factor authentication.

As an organization, no matter if you are a company or public authority, you certainly want to avoid that an attacker, whether internal or external, can get a list of all passwords. This would be equivalent to disclosing all corporate data, including personal data. This would be, understandably too, a reportable event according to the EU’s GDPR data protection laws.

Article 33 – In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

A Delicate Matter: Password Managers in Organizations

Nevertheless, the use of a password manager is not completely without risk. This increases in particular when business versions of these password managers are used. This gives individual users access not only to their own passwords, but also to passwords shared within the department or team, for example for online tools and services. And with the trend to use such services more and more, this scenario will only occur more frequently in the future.

But how can a hacker succeed in getting access to all passwords despite all the security measures mentioned above? The answer is as frightening as it is simple – they simply use the print feature.

Password Managers Hack Themselves – By Just Printing

With regard to security, printing is often neglected or not even considered at all, and it’s often forgotten that printing devices are more than just simple output and copying devices. For example, they have their own IP address, have access to the network, can be reached via their own e-mail address and can even send data via this address.

And even though we as a company are active in the print management sector, and should be happy when more and more innovative solutions support printing, we would not have assumed that password managers would do this – why should they? Their basic concept makes memorizing various passwords no longer necessary. But they actually do print. With just a few clicks, many password managers can send the entire list of logins including passwords in plain text to the printer. And anyone familiar with printing knows that printing sensitive information is a delicate matter.

We stumbled across the feature when we wanted to get an overview of the services we used and were very shocked that not, as expected, a list of systems and login names appeared, but also the respective passwords in plain text. And not only ours, but also those from shared folders of other teams. We didn’t even need any admin rights for this but were logged in as a normal user. We were able to test this feature directly with RoboForm and with 1Password. For a better overview we also took a close look at online documentation from both LastPass and KeePass.

Password Managers Can Print?

Why should a password manager be able to print at all? In response to our question via Twitter, we were told that this is what customers want most in order to store their passwords securely in a safe. Even though this use case certainly exists, the question remains as to whether it should be so easy for every user to print entire password lists.

Printing – An Unknown Vulnerability

Printing continues to be a security issue. Although it’s possible to secure a printing environment, this is unfortunately rarely the case in practice. Printers are configured to be relatively open at the time of delivery in order to be compatible with as many applications as possible. Therefore, the protection of the printer is the task of the internal IT department or the service partner. If this is not done, print jobs are sent unencrypted to the printer via the network in the form of postscript or PCL files. If network traffic is analyzed with an analysis tool such as Wireshark, it is relatively easy to filter this out and display it after disconnecting the IP header using PCL or Postscript Viewer. If the printer has a hard disk, it can also occur that these print files remain on the hard disk. This is particularly critical when the printer leaves the company – even if only for scrapping.

Another problem are print jobs that are not picked up or redirected to other printers due to incorrect printer selection or faulty printer mapping. Ultimately, the question arises as to whether it is necessary that every user in the company should have the entire password list made available to them in such a handy form, as most attacks which take place on an organization’s IT systems are carried out from within.

But a hacker doesn’t even have to bother with password managers to intercept the print job. For example, with the Mac versions of RoboForm, LastPass and KeePass, an HTML page is created to generate the print job and stored on the device’s desktop. Unfortunately, the file will remain there in some cases, even if the print job has already been completed. If users have also activated a cloud service such as Dropbox or iCloud, then this file can quickly end up in the cloud. KeePass explains in its FAQs that the printing process wouldn’t be possible without the temporary HTML file, but KeePass will automatically delete this file under certain conditions. If you don’t want this, KeePass points out that you can write your own plug-in. The HTML file on the computer desktop is hopefully protected by the user login but can also be easily moved by the user to other, perhaps unprotected areas.

Repercussions

Companies should be aware that password managers have a printing feature that can also cause passwords to be stored in unencrypted files on a user’s desktop. This should also be an opportunity for a company to review its entire printing infrastructure in terms of security.

Finally, RoboForm has promised a remedy with the next version and will introduce a feature blocking the print function. An example that other providers should quickly follow.

Carsten Mickeleit
Carsten Mickeleit
Carsten Mickeleit is founder and CEO of Cortado Holding AG (formerly ThinPrint AG). After university, Carsten worked as a researcher at the Institute for System and Planning Theory. In 1990 he founded a provider of information technology solutions, Carano, where he was responsible for sales, marketing and technology leadership. In 1999 he founded ThinPrint AG and developed the company - now Cortado Holding AG - into the leading provider of software-based print and enterprise mobility solutions. Carsten Mickeleit holds a degree in Industrial Engineering from the Technical University of Berlin, with specialism in Finance and Electronics. Besides his work, Carsten is father of two grown-ups as well as being a passionate kite- and snowboarder.