Background: How Remote Printing Works

Most computer printers can connect to a home network, either through Wi-Fi (the most common method) or wired Ethernet. This allows easy sharing among computers and mobile devices in the home, and gives the printers access to an Internet connection.  

Among other things, this makes it possible to print remotely. The user creates an online management account through the manufacturer’s website or the printer’s embedded Web server, and registers the printer. The user receives an e-mail address to which messages, documents, and photos can be sent.

Such e-mails go to the manufacturer’s server, where the attachments are rendered into a printer-compatible format. They are then forwarded to the Internet address established for the printer in the user’s home. The content gets printed automatically. So far, so good.

Potential Security Threat

We theorized that manufacturers might not guard against a printer being connected to a different network from the one the user originally designated for remote printing. Such a network change might occur if, for example, a user sells the printer on eBay, gives it to a friend, or even discards it in the trash and it gets picked up by a passer-by.

If we were right, this could pose a threat to privacy and security. If the original user's friend or accountant sent documents to the remote-printing email address, those documents would print out regardless of who now owned the printer or where it was located.

Why would the manufacturers do this? They might want to ensure that remote printing would be reliable even though IP addresses are frequently rotated by Internet service providers, and home routers are occasionally replaced.

What We Did

We devised a test to see if a printer’s assigned email address would still work if the printer were connected to a new ISP and network. We looked at two recent-model all-in-one printers, an HP Envy 5660 and a Canon MB5350.

After setting up the printers on the manufacturers’ websites and getting email addresses assigned, we tested our theory by sending the printers the same test print jobs (.doc, .excel, and .jpg files) twice: initially, while the printers were still connected to the wireless network we normally use in our computing test labs, and again after connecting them to another wireless network using a different Internet provider.

What We Found

When we sent attachments to the email address assigned to either of the printers, the items were printed regardless of which network they were connected to. Neither printer requested verification after we switched networks.

We also tried printing to the Canon printer using Google Cloud Print, a different remote-printing method available for most networked printers. We found the same behavior: The printer didn’t care what network it was connected to when it was sent a remote print task.

Conclusion and Recommendations

Based on our tests, it appears that a new user of either of these printers could easily receive material intended for the original owner. (Conversely, the original owner could send offensive content to the new users, or use up their ink and paper maliciously.)

We think that manufacturers should inform consumers of the risk that remotely printed content might get sent to an unintended recipient. Further, printers, like every Internet-connected device, should have security and privacy protection designed into them. Manufacturers should program the printer’s firmware to detect a change in the connected network and disable remote printing until the user re-authorizes the capability through a secure online account.

As for consumers, if they have enabled a printer for remote printing, either through the manufacturer’s own method or through Google Cloud Print, they should treat the printer as they would any device containing personal information, and erase its settings before repurposing or discarding it. This can universally be done by using a “Reset to default” or similarly named process initiated through the control panel on the printer. The other option—and one that would still work if the user had already sold an insecure printer—would be to log into the website for the account they established for remote printing, and “remove” their printer from the account. This process deactivates the originally assigned email address, and deactivates Google Cloud Print, requiring a subsequent owner of the printer to establish a new account in order to print remotely.