Slashdot Mirror
Multifunction Printers — The Forgotten Security Risk?
eweekhickins writes to share an article in eWeek highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy. "During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer--complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine."
Wasn't one of the first Mac viruses spread by a mac printer?
They ARE out to get you simply because They are in it for themselves and they don't care about you.
Are we going to have a bot net of machines that print our spam for us?
when I did security work, the number one way to get into their systems was via printers.
Nothing like sitting down and be into a banks system in less then 30 seconds.
The Kruger Dunning explains most post on
Wait till every light bulb has a 32 bit processor and a firmware in flash memory. If we're still cranking out shitty software like we do today then, it'll be hackers' paradise.
Remove the toner from the printer and you only get white hats.
Engineering is the art of compromise.
The biggest issue isn't a lack of (software or physical) security regarding the machine, but a lack of a security policy in these instances. At our institution, machines have unique names, unique passwords (when they have to scan to a network drive), and are behind the campus firewall. But a user could get one, hook it up (putting it behind the firewall) and not change the default password and we'd 1) be none the wiser and 2) have no control over the machine. If a department gets one, it's their printer, not ours.
Still, with client-side antivirus and firewalls, and the control we have over the servers (for a multifunction printer to be able to scan to a server, it has to be given specific access, which doesn't happen lightly), it doesn't seem like being able to access the web interface can pose a whole lot of a threat. An attacker could potentially waste a ream of paper or two, a bit of toner, but I don't foresee any major consequences.
is to come into work in the morning to find all the ink and paper has been wasted printing the goatse man over and over again....
Monstar L
This is actually a very good point, a network is only as strong as its weakest link (or firewall). While each machine on a network may be secure, hijacking a printer can do the same amount of damage as hacking any other machine on the network (save actual servers w/ data on them). Imagine hijacking a printer on a network and then having it send out spam (hey, its on superreliabledomain.com, no reason to hastily toss it in the spam bucket), or arp poisoning to listen in on other traffic on the network it should have no business with. Any device connected to a network should meet a certain standard of security, it only takes one weak link to really mess things up.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
As noted, this has been covered before. If you are not doing your best to segment your network for security reasons, then you probably deserve to learn about this one the hard way. EVERYTHING now has the smarts/hardware to launch/spread/spawn a virus attack on your network. Every day I get one or two messages about this and mobile computing being the 'number one' threat to our networks.
FerCrissakes, every USB stick has that ability if you have not done your work/research etc.
But still, by far, the most dangerous thing on your network is the end user(s)...
That's life, it's the way the cookie crumbles, and it's how you're going to lose brownie points with the PHB at work.
Support NYCountryLawyer RIAA vs People
My dot-matrix parallel printer will never turn on me like that!
Screeeeeeeech
Klingon programs don't timeshare, they battle for supremacy.
Lexmark, Xerox, the list goes on. How about a Linksys WRT54G? How many devices out there can be easily rooted and owned? The list is endless. Who would suspect a logon attempt or a slow port scan from a printer, or a volume-page scanner?
Maybe your VoIP system's very happy you linked it to your Active Directory with an administrative logon. Seen any weird LDAP requests recently? Had to reboot your RIP engine recently? Surprise!
Diligence is its own reward.
---- Teach Peace. It's Cheaper Than War.
I take it from the summary that simple print-scan-copy machines aren't what is being mentioned. Instead, referring to those smart printers that "can access all your companies files" -- couldn't figure how that was a good idea when I saw the ads myself.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
come to think of it, my refrigerator made some noise as I powered up the computer,....
hah. about 10 years ago, I got a call from an admin at the University of Texas. Seems a host on my network was scanning his network pretty aggressively. Figuring the guy went to the trouble to find person responsible for the offending host, me, I talked to him, got the IP, and finally found the host. It was a web cam. huh. So while I had him on the line, I pulled the cable. Scanning stopped. Put the cable back in, scanning started.
I apologized and pulled the camera off the network. I then plugged it into a disconnected hub and poked around. Linux box running apache and some other crap. A few minutes later, I too p0wned the camera.
about 2 years ago my boss was talking about the security risk in shared network printers. If he wanted a hard copy of something sensitive, he would have to hit Print, and then trot down the hall to get his output before anyone say it. Printers and other IP devices have a host of problems. No news here.
I work on networked multifunction copiers & printers. You would think they would lock a lot of them down, but they don't. Some times, I need net access when I'm working on one, and 99 times out of 100, all I have to do is unhook the net cable from the MFP, and connect it to my laptop and bingo, I'm on the net. The only place I've been that this doesn't work is a major hospital....duh...at least because of the HIPPA rule, they lock EVERYTHING down.
Let's work with the concept that a multifunction machine get pwned for a moment. Instead of all the ideas of using it to root around on your servers, or join a botnet, what if the vulnerability did something as innocuous as FTP/SMTP (or even fax) images of scanned/printed documents to a server on the outside world?
Get a machine in a place that does financial or medical records and now you have a steady stream of confidential information going somewhere in the form of soc. security numbers, bank account numbers, etc. all in scanned form.
Since the machine probably already does this on a regular basis under normal use, it's possible that such an exploit could continue for a while before it would ever be discovered.
This one time, at my office, this guy, he hacked the multifunction printer,.. And it didn't print!!!
That feeling you get, that tingling sensation when you walk down into your dark basement cellar. That's the feeling of the multifunction printer watching your every move.
With processor, ethernet etc that fits into 35mm×19mm×19mm of space[1]. Basically the same OS as your file, printer, web and database servers...
This means that anything that size or bigger, could be running a set of software perfectly able to be compromised, and used as a springboard into other systems. Anything with a network port should have the same security policies applied as a server.
[1] e.g. http://www.picotux.com/techdatae.html
Deleted
Im in ur bulbs, givin u seezures.
http://www.openbsd.org/
http://www.lynuxworks.com/solutions/security.php
http://www.coyotos.org/
Fortunately, these MFP's don't have speakers. Otherwise, the goats would have a new form of emission... mwaehhehehe mwaehhehhee.... Now, you can hear, see, *and* smell the goat..
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Brendan O'Conner first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy.
The Xerox WorkCentres are more likely to malfunction, first. They jam incessantly unless you use Xerox brand paper (rather than design their machines to handle popular paper, they design their machines to only handle Xerox paper properly) and they have basic design defects- for example, toner builds up on fingers near the fuser assembly, which has to be scraped off regularly or the machine starts to jam with increasing frequency.
Also, the print spooler PC on the back of the 3535 units (the B&W ones, may have that # wrong) were completely stupid- when the copier displays a message to the effect of "PC booting" with a progress bar, it's a TIMER, and nothing more- the machine doesn't actually check if the PC successfully booted and is accepting jobs.
Don't even get me started about how atrocious the Windows-based RIP engine is for the color printers.
Not even remotely "smart".
Please help metamoderate.
All kidding aside (printf), we had a break in a few years ago by some very organized Blokes one (of many) thing they hit was an HP 120nr printer (w/ RIP [fonts]) to which they tried (and failed) to chip crowd or replace the firmware. They jumped routers/switches to the local LAN to accomplish this, the network card was damaged in this attempt - we just got it back from the repair shop and the Tech asked me "what did you do, pull the NIC card while it was running?"
Of course I didn't, nor did anyone here do such a thing, what you have to understand is only a portion of the printers' motherboard was damaged. I'll leave it as an exercise to you to figure which area.
All was not lost as the USB still functions as well as the parallel port,
The printer was not configured.
The computers/LAN were Macintosh (OS8.x.x, 9.2.2 clients) - OS X 10.2.8 clients/servers.
Init's were utilized on the legacy OSs to attack.
OS X (Shockwave, QT, Flash etc.) was used for "the show".
The routers had to be re-flashed.
Yeah, and Bob's your Uncle.
~hylas
Mind you, it still printed.
This is just the technology filtering down. :)
The World Wide Web is dying. Soon, we shall have only the Internet.
We have a $45,000 high quality high volume scan/printer that is a paperweight.
They purchased it for scanning confidential documents. The hitch is that there is only 1 way to get documents off of this printer: A public non-protected network share... This is basically against the law for a bank.
I suggested that I could set up a private network and they could securely upload docs to the proper place with the right security, however that plan was nixed for being "non-standard"
The result is that now they consult me when buying a pencil sharpener because they don't know how it will affect network security.
Comment removed based on user account deletion
There are issues using them when handling sensitive data such as personal records. The hard drive in these printers do not always clear out the information used to make the previous printouts, allowing someone to later to recall and make reprints.
My wife works in a HR position and will not use these work center type of printer because she does not have a usable means to clear out the disk after make printouts of personal data. There was a push for the office users to use this as there default network printer in order to reduce the number of personal printers that was in the office. She asked if there was a method to make sure the information was erased after making a printout. She was assured that it would be taken care of and not to worry about it, to which she replied, that she would make sure to print out their personal files out on the printer if it seemed to be needing service.
The printer that she now uses is one that does not have any data retention capabilities like a hard drive, it also sits at her desk and not in the common area.
I dont know if it was before or after the blackhat talk.
http://www.irongeek.com/i.php?page=security/networkprinterhacking
its really interesting stuff.
Maybe somebody will invent a benevolent virus for multifunction printers that will enable them to actually print envelopes.
It's not that the printer is multifunction that has anything to do with it. I used to have a multifunction printer that connected to my computer with USB. I dare say that it offered no particularly interesting attack vector in that configuration.
Comment removed based on user account deletion
wtf PostGreSQL? It's "PostgreSQL", "postgres", or "Pg".
Upgrade now to Norton Anti virus 2008 to ensure your printer is safe.
Sort of. After a power outage, i hadnt rebuilt the settings on my wireless router. One day i went into my network places and there were a few new folders in there, as well as another shared printer. Checked the logs and sure enough "ScottsLaptop" or somebody was leeching my wireless. My own fault for not re-securing it, but i still printed several pages of goatse on his shared printer before i booted him off my network. Not really related at all, but a mildly amusing network printer story if there ever were such a thing.
"Sic Semper Tyrannosaurus Rex."
I know for a fact that Toshiba copiers offer a variety of security features for what they call their E-Bridge Architecture, the built in Linux server that powers the MFP. These range from a hard drive data-overwrite kit to a scrambler board that encrypts and decrypts data on the fly using a user-created site-key. Also, they do digital signatures when scanning to a SMB/CIFS share (scanning to an FTP server is also an option, as well as directly to a thumb drive) and allow for LDAP or smart-card based authentication before any scanning or printing function is used. The newest models also allow for secure PDFs. I've given some effort to get root access to one of the devices, and have thus far failed. Not saying it can't be done, I'm certainly not a "black hat". Full Disclosure: I am the I.T. Manager / Sr. Network Engineer for a wholly-owned Toshiba subsidiary.
http://csrc.nist.gov/nissc/2000/proceedings/papers/034.pdf
Basically, 9 years ago we showed some remarkably embarassing features in Xerox multifunction printer/copiers/faxes. Including SNMP access to plaintext passwords!
I wonder how many of these "features" are still there.
...but when it comes to bid, most companies decide it's not worth the cost. I've worked in the MFP business now for nearly ten years, and security has evolved to address these issues as well as regulatory requirements. Some manufacturers are better at it than others, and those who do not create it themselves partner up to provide the solutions.
Security is on every single RFP, whether it be device management or document security, and most companies talk the importance of security until they see the price (financial and/or convenience) - then it becomes a distant third to cost and glitz. In the case of built-in security, many times it's just plain not used, either because it was perceived as a pain in the ass to deploy, or caused restrictions that end users would not tolerate.
Want your MFPs to be rock-solid secure? Man up, and don't let the bean counter compromise your security standards. Get involved with the RFP process EARLY and review the vendor solutions instead of just letting your facilities dinosaur run the show and award the contract to the lowest bidder...and suddenly pop up on your network.
The generation of WorkCentre Pros mentioned in the article are no longer part of the current line up.
A 'smart' network entity will be a risk if it isn't locked down regardless of whether it is a printer or a server or a desktop computer.
The current generation of devices have improved security features including encryption of job files and digital watermarking at creation to ensure you can track the originator of any document.
To use a basic analogy - if you don't close and lock your doors - is it the houses' fault it's "insecure"?
Sara
Designer, Gamer, Macgrrl in an XP World
I actually came back to the office one day finding 400 pages of porn printed in color on our office printer. Apparently it was open for everyone on the net to use as a print server.
Seriously. Such a suggestion is a clear illustration of a security threat to be concerned about and guarded against.
It also makes for a realistic discussion of the risk with a non-technical user.
I don't want to lose sleep over the possibility, do you?
Except, how would you prevent it from happening? I'm not sure you can, but I'll bet the answer is in this book called Extrusion Detection. I haven't (yet) read it, however I have read its sister book (Network Security Monitoring) by the same outstanding expert author, a former US Air Force captain who should know, and that's why I think the answer to prevent such an internal 'exploit' is in that particular book.
You can't be ahead of the curve, if you're stuck in a loop.
In a place like slashdot where people like to go off every time a security vulnerability is discovered that lets hackers take over commercial websites and use them to deliver viruses, etc. to their users I'd hoped somebody here would have understood the point better.
Let me walk you through the steps that were described in that old conference paper:
1) printer (doesn't matter whether it was multifunction or just-plain printer) runs web server by default so lazy admins can manage it without walking to different buildings
2) printer runs java-clone (can't be turned off)
3) vulnerability in web server code in the printer exposes printer's admin/'root' access password to anybody
4) printer's admin/'root' access password is all you need to upload user-written java-clone source code to the printer and command the printer to run the new code
5) that user-written java-clone source code can do most of the usual things you can do with a java program to attack computers or a network
So...those printers or any device which runs a web server for a 'friendly' admin interface is something you should be worried about because you don't know what security vulnerabilities it has, you can't run an anti-virus product in them and admins rarely bother to apply regular security updates to them (if the vendor even bothers to look for or fix the security vulnerabilities).
If you were a network/system admin and knew that you had hundreds of machines on your net still running Windows 2000 SP1 (no subsequent security patches) and with no anti-virus software on them wouldn't you feel pretty nervous about the security of the rest of your computers? The point of that old conference paper is that you are in exactly that situation today and probably didn't even know it.
Way back in the early 1990's someone at MIT wrote an IRC server in postscript that ran (very slowly) on an HP printer. I was never able to stay connected to it for very long but it dis illustrate what you could do with postscript on a postscript enabled printer.
Did you even read the guy's entire post? Why would you need to cut a cable to break into the network with a wireless connection? You must be clueless because you think it is some amazing feat to run a network sniffing program.
Where does slashdot get posters these days? Oh yeah, they are 12 year old kids. I used to read this site because quite a few posters seemed to be experts in their respective fields--at least the ones who where modded up. Now I don't know why I bother.
Since apparently we have to sign our "name" to be in the club--a lot of you 12 year olds are doing it. Who the hell thought that was cool?
Signed: The slashdot is full of 12 year olds "troll".
Looking at this, I was wondering how or why there would be talk at Black Hat about a multifunction printer being a security risk. "What, would terr'ists sneak in and use the printer to scan jihadist documents are very slowly print them out -- only to fax them!!" No, it's a little more elevated than that. Still not anything I need to worry about right now though.
Now goatse-laden printers, that's scary.
-- haaz.
The article is assuming that people are actually _concerned_ about security, as opposed to the _illusion_ and _game_ (read: commerce surrounding) security.
So many of the things that organizations (particularly government organizations) do to "improve security" are really exercises in "security theater" to make management and certain "nervous nellie" types feel better about the complex machines and complex processes they oversee but don't have a prayer in hell of ever really understanding.
Real security begins as a culture of accountability and responsibility, along with the understanding that anything is only ever as secure as the awareness of the people managing it and their physical ability to secure and defend it. It is an ongoing, top-down set of procedures and processes along with a community (constituency) oriented communication and education effort designed to teach _and_ engage the user community about security awareness and the various procedures.
You can't buy a one-size-fits all security thingy and expect to turn it on and have it to work forever in all cases all of the time. And yet that is exactly the mentality of so many people I encounter on a routine basis-- particularly where I work at a large govt agency-- and MOST particularly the _security people themselves_ !! I suppose the closer you are to an issue the harder it is to really see it maybe.
Due to processing demands of Postscript, it had the highest speed 68000 available in an Apple product, besting all the Macs of the time.
They who can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety. B.Fkln
the Field Engineers scraped the hard drives before bringing back any movies.