Slashdot Mirror

← Back to Stories (view on slashdot.org)

Printers Vulnerable To Security Threats

Posted by kdawson on from the infected-my-what? dept.

jcatcw writes "Networked printers are more vulnerable to attack than many organizations realize. Symantec has logged vulnerabilities in five brands of network printers. Printers outside firewalls, for ease of remote printing, may also be open to easy remote code execution. They can be possible launching pads for attacks on the rest of the network. Disabling services that aren't needed and keeping up with patches are first steps to securing them." From the article: "Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.... [N]etworked printers need to be treated like servers or workstations for security purposes — not like dumb peripherals."

13 of 173 comments (clear)

  1. Try it out by delirium+of+disorder · · Score: 5, Interesting

    Over the past several years, if you did a random port scan of the Internet (nmap -iR) the majority of open telnet (tcp port 23) servers were print servers that let you telnet in and change all sorts of settings.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
    1. Re:Try it out by Anonymous+Monkey · · Score: 4, Insightful

      What most people don't get is that that cute, slim-line print kit that they slid in the back of there copy machine is, in fact, made out of lap top parts and running DOS. Any multifunction print system is a computer with a printer & scanner attached, and should be treated thusly.

      --
      We are the Borg...
    2. Re:Try it out by jrockway · · Score: 5, Funny

      > "CHANGE YOUR ADMIN PASSWORD NOW!" or "I AM NOT SECURE!"

      I always change it to "OUT OF WATER".

      I did this to every printer in my high school a few years ago, and it was great. People were speculating as to where the water should go; HP support had no idea what was wrong; etc. After that, some firewall rules were changed and it never happened again :)

      --
      My other car is first.
  2. *print incoming* by BMonger · · Score: 5, Funny

    Dwight:

    At 8 AM today, someone poisons the coffee. Do NOT drink the coffee. More instructions will follow.

    Cordially, Future Dwight.

  3. Jamming by vjmurphy · · Score: 5, Funny

    Even worse, such attacks may jam the printers, making it impossible to print out important Dilbert cartoons.

    --
    Vincent J. Murphy
    Spandex Justice
  4. This is news? by NoseyNick · · Score: 5, Funny

    Was years ago I hacked my employer's printer to say: "Insert Coin" instead of "Ready" and "Feed Me" instead of "Paper tray empty" ... and I know I could have done a lot worse.

    --
    Nick Waterman, Sr Tech Director, #include <stddisclaimer>
  5. Campus Printers by cpearson · · Score: 4, Interesting

    On many if not most college campuses the printers are administered and accounted for my a system tied to a student id. Each student can get so many free prints per semester and can pay per print after exceeding that. Malicious code executing on a print server could sniff all the student accounts accessing the printer.

    http://www.vistahelpforum.com/

    --
    Windows Vista Help Forum
    1. Re:Campus Printers by afidel · · Score: 4, Insightful

      The LPT/USB port isn't usually disabled, so just hook up a cable and print =)

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  6. Using printers to deal with rowdy girls by GillBates0 · · Score: 5, Funny
    Not exactly the same scenario, but I think this comment by stuffman64 deserves an honorary mention here:

    Last year in my apartment, I had a very loud, rowdy group of girls living above me. Basically, they would get all drunk and mean, and any attempt to ask them to politely stop stomping on the floor or whatever they do at 3AM was met with flase promises (5 minutes later they'd be at it again). Even my mack-daddy roommate couldn't seduce them in hopes of somehow convicing them to stop being so damn loud. This kid could pick up any girl he wanted, but we surmised from all the romping and giggling that perhaps they were more interested in eachother when they got so drunk (backed up by the fact that they always came to the door in robes and/or towels).

    We tried to figure out a good way to get back at them. We could report them to the main office, but it's kinda a douchebag thing to do as in enails a $100 per person, not to mention that the apartment complex's owners were also douchebags and didn't deserve any more money from anyone. I'd known for a while that they had an unprotected wireless network, and all of their computers had file and print sharing enabled (not to mention that one of them appropriately named their computer "BITCHFACE"). I "stumbled upon" an ebook copy of War and Peace and decided to start printing it on all of their printers one day when I assumed they'd be at class. One of the girls (I assume the one who drives a Mercedes she must have got for graduation) had an HP Laserjet 5 (how the hell she had room for it in the apartment is beyond me), so there is a good chance I got off at least a few hundred pages before it ran out of paper. I'd assume they didn't know how or why it happened, but afterwards, any time they would be loud I'd start printing a bunch of pages of non-acronymized "STFU" pages. They eventually came down on time and told me that if we didn't stop printing, they'd tell the office. Once I reminded them that we could go down to the office to report noise violations @ $100 per person per violation (not to mention possible eviction after the 3rd violation) any time we heard any noise from them, they quickly realized we had the upper hand. After that, we didn't have any more problems with them, and actually started getting along with eachother.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  7. Re:Unless... by Jeremiah+Cornelius · · Score: 4, Interesting

    We used these REGULARLY to exploit banks, in our testing.

    The high-end HPs had both harddisk, and a JVM with listening socket on port 80. WHeee!

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  8. I can see the 0-day exploit headline now by antifoidulus · · Score: 4, Funny

    "Printers worldwide slammed with requests to print the goatse man"

    --
    Monstar L
  9. Re:Unless... by FooAtWFU · · Score: 4, Interesting
    My school, before the Great Firewalling of its network a few years ago, had its printers open to the whole Internet. Apparently someone hacked into one and used it as an FTP server for warez and porn. And it still worked as a printer. :)

    Of course, this also means that I can't stick up a website for the world from my laptop anymore, either. =/ Ah well.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  10. HP Isn't the only brand by howlinmonkey · · Score: 5, Informative

    I work in the networked printer/multifunction industry. While HP is popular on desktops, other brands are gaining, and rule in the 50ppm+ arena. These devices come from other vendors like Canon, Sharp, Kyocera and Xerox. These multifunction devices provide scan, fax and print services and run a variety of OS's from VxWorks to Solaris. Yes Johnny, that means Windows XP embedded as well. Although I have to say, I haven't seen a DOS based controller in about 6 years.

    We routinely receive questions about security, and help patch and configure these boxes to meet network security requirements as closely as possible. Unfortunately, we have limited access to the core OS, so we go as far as we can and workaround the rest. Many vendors, especially those using Windows, provide controller patches with security fixes included. EFI even allows an admin to RDP in and use Windows Update to keep current

    These devices aren't perfect, but they have come a long way. That being said, if you haven't heard about this in the past, you have no business being in charge of network security. Multifunction devices today are just as powerful as your desktops and servers, running the same software. Admin control is limited, and vulnerabilities are a reality - note the recent Xerox vulnerability

    I would say it is important to stay in contact with your local vendor/dealer to stay on top of these issues. We work with these products everyday, and receive regular notices about security issues and solutions, not to mention a wide variety of other product data. We are a resource, just like any other outside consultant, to help you get and stay secure.