Multifunction Printers — The Forgotten Security Risk?

eweekhickins writes to share an article in eWeek highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy. "During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer--complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine."

Re:So what's the potential threat?

[KublaiKhan]

More evil would be a system that forwards the documents printed to another location....

Weakest Link

[ookabooka]

This is actually a very good point, a network is only as strong as its weakest link (or firewall). While each machine on a network may be secure, hijacking a printer can do the same amount of damage as hacking any other machine on the network (save actual servers w/ data on them). Imagine hijacking a printer on a network and then having it send out spam (hey, its on superreliabledomain.com, no reason to hastily toss it in the spam bucket), or arp poisoning to listen in on other traffic on the network it should have no business with. Any device connected to a network should meet a certain standard of security, it only takes one weak link to really mess things up.

Perhaps I'm jaded, but is this news?

[zappepcs]

As noted, this has been covered before. If you are not doing your best to segment your network for security reasons, then you probably deserve to learn about this one the hard way. EVERYTHING now has the smarts/hardware to launch/spread/spawn a virus attack on your network. Every day I get one or two messages about this and mobile computing being the 'number one' threat to our networks.

FerCrissakes, every USB stick has that ability if you have not done your work/research etc.

But still, by far, the most dangerous thing on your network is the end user(s)...

That's life, it's the way the cookie crumbles, and it's how you're going to lose brownie points with the PHB at work.

It ain't news.

[hal9000(jr)]

hah. about 10 years ago, I got a call from an admin at the University of Texas. Seems a host on my network was scanning his network pretty aggressively. Figuring the guy went to the trouble to find person responsible for the offending host, me, I talked to him, got the IP, and finally found the host. It was a web cam. huh. So while I had him on the line, I pulled the cable. Scanning stopped. Put the cable back in, scanning started.

I apologized and pulled the camera off the network. I then plugged it into a disconnected hub and poked around. Linux box running apache and some other crap. A few minutes later, I too p0wned the camera.

about 2 years ago my boss was talking about the security risk in shared network printers. If he wanted a hard copy of something sensitive, he would have to hit Print, and then trot down the hall to get his output before anyone say it. Printers and other IP devices have a host of problems. No news here.

Re:ABout time

[mpapet]

I'm calling you on this because I think it's very improbable without a laptop in the physical location. Sure it broadcasts like crazy in a LAN, but there's a HUGE leap from getting on the printer to turning it into your bot from a remote destination. Did the print server have a public IP?

Some details please.

Re:First virus

[vux984]

Wasn't one of the first Mac viruses spread by a mac printer?

There was a famous trojan that infected apple laser printers via postscript... but I don't think it 'spread' itself so it wasn't really a virus, nor would it qualify as a Mac virus because it didn't infect Macs, just some Apple Printers.

In any case I think it just lived on the printer. Although one of its effects was to change the password, something that could only be done a limited number of times for some demented reason, which meant eventually the printer would lock you out, and you couldn't reset the password without swapping in a bios or pram, or something along those lines.

Nonetheless, yes, laserprinters have been 'servers' in their own right for over 20 years, so this is hardly news. The same is true of NAS, Routers, managed switched, and so forth. And as for an 'IT security strategy" really, what can you do? Be aware its possible, and limit your attack surfaces to a level appropriate to the risk of them being compromised and the level of damage they could do if compromised.

For most of us, "Don't put your printer on the internet" is probably sufficient"IT security strategy"... although for higher security installations, something more detailed would be required.

Multi-malfunction devices, more like it

[SuperBanana]

Brendan O'Conner first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy.

The Xerox WorkCentres are more likely to malfunction, first. They jam incessantly unless you use Xerox brand paper (rather than design their machines to handle popular paper, they design their machines to only handle Xerox paper properly) and they have basic design defects- for example, toner builds up on fingers near the fuser assembly, which has to be scraped off regularly or the machine starts to jam with increasing frequency.

Also, the print spooler PC on the back of the 3535 units (the B&W ones, may have that # wrong) were completely stupid- when the copier displays a message to the effect of "PC booting" with a progress bar, it's a TIMER, and nothing more- the machine doesn't actually check if the PC successfully booted and is accepting jobs.

Don't even get me started about how atrocious the Windows-based RIP engine is for the color printers.

Not even remotely "smart".

Re:ABout time

[JoeZeppy]

Bullsh*t. You been watching too much Hollywood crap. They'd have to have a ladder to reach the tiles, some way to cut the Cat 5 cable, put a connector on the end (non-trivial if fiber), then have to splice the router into the cable, set the router IPs to be on the same subnet as the bank (unless you know this you'll need a sniffer program to grab it). While they are doing this they can't cause a noticable outage and I doubt the banks DNS is going to give the laptop an IP without some kind of login and authentication. Plus you probably need to know what kind of printers they are running, thier IP addresss and/or name before you can get to them to install the Trojan/virus.

I don't know what you mean, a DHCP server will happily give out IPs to anything that asks for one, there's no authentication involved. And if you're good, you can probably cut a cat5 cable and put an RJ45 on it in a minute or two. Sure the guy at the cube who's cable you cut will probably complain, but how long will it take an electrician to figure out what happened, or will they just pull a new cable? Not saying I believe the story, but it's not as far-fetched as you make it sound.

And anyway, a 4 port Linksys WRT54g will function like a hub, and pass the DHCP request right through if it's set up right. That's why admins freak about people buying them at Best Buy and hooking them up under their desks.

Heck if I was doing it, I'd have my laptop set up to talk to the Linksys box with WPA and not broadcast an SSID, to make it harder for security to find my private WAN.