Multifunction Printers — The Forgotten Security Risk?

eweekhickins writes to share an article in eWeek highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy. "During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer--complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine."

Not simply PSC then

[pembo13]

I take it from the summary that simple print-scan-copy machines aren't what is being mentioned. Instead, referring to those smart printers that "can access all your companies files" -- couldn't figure how that was a good idea when I saw the ads myself.

Re:So what?

[Pirulo]

There are other consequences that are sensitive to several business,

Enabling the MFP to cache all documents so they can be retrieved by the hijacker is an example on how to steal sensitive information.

irongeek did some research into this

I dont know if it was before or after the blackhat talk.

http://www.irongeek.com/i.php?page=security/networkprinterhacking

its really interesting stuff.

Re:Sensitive data issues

[Bork]

You mean like this one?

http://www.troygroup.com/SecurityPrinting/products/MICRPrinter/4300secure.asp

Re:It ain't news.

[flink]

Many larger/more sophisticated printers these days have a "print to mailbox" option that causes the document to remain spooled on the printer indefinitely instead of immediately printed. You have to be physically at the printer and enter your user ID and PIN to start your print job. So that mitigates the hanging around the printer attack, still doesn't help if the printer gets r00ted though.

Re:ABout time

[totally+bogus+dude]

Plus how do you know what IP address is a printer without special tools such as a sniffer.

It's pretty rare for people to change the MAC address of their devices, even on devices that allow it. And since each vendor is allocated its own prefix(es) it's pretty straightforward to narrow your search to e.g. Xerox MAC addresses. With a bit of research it's likely you'd be able to find even narrower prefixes that the vendor has allocated to particular types of printers.

don't you want to control that printer and it's agent from outside the bank? To do that you got to do a lot more things, like change firewall/router rules and routing tables

I think that's what the installation of the wireless router is for.

Also, don't forget that all your criticisms are implying that the bank has implemented good security practices across the board. We like to think they do, but in reality they're probably only a little bit better than the majority of companies. Very few people require authentication before providing an address via DHCP, for example, or do MAC filtering on every port (or even enough ports to make it meaningful).

Finally, the post you responded to didn't say the guys just walked in out of the blue without any prior research. That seems unlikely. Also why would you need to give your wireless router an IP on their network if it's sitting in the network path? Ideally you wouldn't be using an off-the-shelf one, but I think that'd be fine on most networks, particularly since most people consider their internal cabling to be pretty trustworthy.

Your other main criticism is they'd need to take down the network in order to patch into it, but that would only take a few minutes. If you lose a part of your network are you going to go "everyone quick, to the restroom!" to find the culprit? Very improbable. Most likely it would take a minute or two before the network admins even identified the switches/routers that were having problems, then it'd take another few minutes for them to physically go to the devices and check the cables are plugged in (the first place most people would start looking once they established that the link was down). And by this time it's probably come back up again.

Now if their security guys are really hardcore they might decide to go through the roof and check out the entire length of the network cable to make sure it hasn't been tampered with, but 99% of people are just going to "monitor it and see if it happens again" -- which it wouldn't. Then it'd be forgotten about.

Re:First virus

[Trogre]

It means that some moron has sent a job to the printer in US Letter again. Just hit OK to have it print from the A4 tray.

Re:Sensitive data issues

[YttriumOxide]

Last I checked (which was a few minutes ago), every current Konica Minolta office product has every feature you're talking about ("office products" excludes the printers, SOHO toys and production equipment (like the C6500 mentioned in another thread - which being a production machine shouldn't be anywhere near a corporate or public network - it's a print room machine!)). Data erasure policies for RAM and HDD, Active Directory login, security logging, internal firewall... plus many you didn't mention such as encryption of all data on the HDD, lockouts to prevent password guessing and the ability to completely disable ANY port it opens.

Yes I do work for Konica Minolta (as a programmer)

Of course, the vast majority of our customers don't even change the default admin password let alone set up anything else. And honestly at least SOME of the blame for this probably rests on our pre-sales consultants for not even mentioning these features before the equipment is installed, but we do have them.