Slashdot Mirror
Multifunction Printers — The Forgotten Security Risk?
eweekhickins writes to share an article in eWeek highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy. "During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer--complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine."
Wasn't one of the first Mac viruses spread by a mac printer?
They ARE out to get you simply because They are in it for themselves and they don't care about you.
Are we going to have a bot net of machines that print our spam for us?
Remove the toner from the printer and you only get white hats.
Engineering is the art of compromise.
The biggest issue isn't a lack of (software or physical) security regarding the machine, but a lack of a security policy in these instances. At our institution, machines have unique names, unique passwords (when they have to scan to a network drive), and are behind the campus firewall. But a user could get one, hook it up (putting it behind the firewall) and not change the default password and we'd 1) be none the wiser and 2) have no control over the machine. If a department gets one, it's their printer, not ours.
Still, with client-side antivirus and firewalls, and the control we have over the servers (for a multifunction printer to be able to scan to a server, it has to be given specific access, which doesn't happen lightly), it doesn't seem like being able to access the web interface can pose a whole lot of a threat. An attacker could potentially waste a ream of paper or two, a bit of toner, but I don't foresee any major consequences.
This is actually a very good point, a network is only as strong as its weakest link (or firewall). While each machine on a network may be secure, hijacking a printer can do the same amount of damage as hacking any other machine on the network (save actual servers w/ data on them). Imagine hijacking a printer on a network and then having it send out spam (hey, its on superreliabledomain.com, no reason to hastily toss it in the spam bucket), or arp poisoning to listen in on other traffic on the network it should have no business with. Any device connected to a network should meet a certain standard of security, it only takes one weak link to really mess things up.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
As noted, this has been covered before. If you are not doing your best to segment your network for security reasons, then you probably deserve to learn about this one the hard way. EVERYTHING now has the smarts/hardware to launch/spread/spawn a virus attack on your network. Every day I get one or two messages about this and mobile computing being the 'number one' threat to our networks.
FerCrissakes, every USB stick has that ability if you have not done your work/research etc.
But still, by far, the most dangerous thing on your network is the end user(s)...
That's life, it's the way the cookie crumbles, and it's how you're going to lose brownie points with the PHB at work.
Support NYCountryLawyer RIAA vs People
My dot-matrix parallel printer will never turn on me like that!
Screeeeeeeech
Klingon programs don't timeshare, they battle for supremacy.
Lexmark, Xerox, the list goes on. How about a Linksys WRT54G? How many devices out there can be easily rooted and owned? The list is endless. Who would suspect a logon attempt or a slow port scan from a printer, or a volume-page scanner?
Maybe your VoIP system's very happy you linked it to your Active Directory with an administrative logon. Seen any weird LDAP requests recently? Had to reboot your RIP engine recently? Surprise!
Diligence is its own reward.
---- Teach Peace. It's Cheaper Than War.
I take it from the summary that simple print-scan-copy machines aren't what is being mentioned. Instead, referring to those smart printers that "can access all your companies files" -- couldn't figure how that was a good idea when I saw the ads myself.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
hah. about 10 years ago, I got a call from an admin at the University of Texas. Seems a host on my network was scanning his network pretty aggressively. Figuring the guy went to the trouble to find person responsible for the offending host, me, I talked to him, got the IP, and finally found the host. It was a web cam. huh. So while I had him on the line, I pulled the cable. Scanning stopped. Put the cable back in, scanning started.
I apologized and pulled the camera off the network. I then plugged it into a disconnected hub and poked around. Linux box running apache and some other crap. A few minutes later, I too p0wned the camera.
about 2 years ago my boss was talking about the security risk in shared network printers. If he wanted a hard copy of something sensitive, he would have to hit Print, and then trot down the hall to get his output before anyone say it. Printers and other IP devices have a host of problems. No news here.
I'm calling you on this because I think it's very improbable without a laptop in the physical location. Sure it broadcasts like crazy in a LAN, but there's a HUGE leap from getting on the printer to turning it into your bot from a remote destination. Did the print server have a public IP?
Some details please.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Let's work with the concept that a multifunction machine get pwned for a moment. Instead of all the ideas of using it to root around on your servers, or join a botnet, what if the vulnerability did something as innocuous as FTP/SMTP (or even fax) images of scanned/printed documents to a server on the outside world?
Get a machine in a place that does financial or medical records and now you have a steady stream of confidential information going somewhere in the form of soc. security numbers, bank account numbers, etc. all in scanned form.
Since the machine probably already does this on a regular basis under normal use, it's possible that such an exploit could continue for a while before it would ever be discovered.
With processor, ethernet etc that fits into 35mm×19mm×19mm of space[1]. Basically the same OS as your file, printer, web and database servers...
This means that anything that size or bigger, could be running a set of software perfectly able to be compromised, and used as a springboard into other systems. Anything with a network port should have the same security policies applied as a server.
[1] e.g. http://www.picotux.com/techdatae.html
Deleted
Im in ur bulbs, givin u seezures.
Brendan O'Conner first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy.
The Xerox WorkCentres are more likely to malfunction, first. They jam incessantly unless you use Xerox brand paper (rather than design their machines to handle popular paper, they design their machines to only handle Xerox paper properly) and they have basic design defects- for example, toner builds up on fingers near the fuser assembly, which has to be scraped off regularly or the machine starts to jam with increasing frequency.
Also, the print spooler PC on the back of the 3535 units (the B&W ones, may have that # wrong) were completely stupid- when the copier displays a message to the effect of "PC booting" with a progress bar, it's a TIMER, and nothing more- the machine doesn't actually check if the PC successfully booted and is accepting jobs.
Don't even get me started about how atrocious the Windows-based RIP engine is for the color printers.
Not even remotely "smart".
Please help metamoderate.
We have a $45,000 high quality high volume scan/printer that is a paperweight.
They purchased it for scanning confidential documents. The hitch is that there is only 1 way to get documents off of this printer: A public non-protected network share... This is basically against the law for a bank.
I suggested that I could set up a private network and they could securely upload docs to the proper place with the right security, however that plan was nixed for being "non-standard"
The result is that now they consult me when buying a pencil sharpener because they don't know how it will affect network security.
You mean like this one?
http://www.troygroup.com/SecurityPrinting/products/MICRPrinter/4300secure.asp
I don't know what you mean, a DHCP server will happily give out IPs to anything that asks for one, there's no authentication involved. And if you're good, you can probably cut a cat5 cable and put an RJ45 on it in a minute or two. Sure the guy at the cube who's cable you cut will probably complain, but how long will it take an electrician to figure out what happened, or will they just pull a new cable? Not saying I believe the story, but it's not as far-fetched as you make it sound.
And anyway, a 4 port Linksys WRT54g will function like a hub, and pass the DHCP request right through if it's set up right. That's why admins freak about people buying them at Best Buy and hooking them up under their desks.
Heck if I was doing it, I'd have my laptop set up to talk to the Linksys box with WPA and not broadcast an SSID, to make it harder for security to find my private WAN.
Upgrade now to Norton Anti virus 2008 to ensure your printer is safe.
Sort of. After a power outage, i hadnt rebuilt the settings on my wireless router. One day i went into my network places and there were a few new folders in there, as well as another shared printer. Checked the logs and sure enough "ScottsLaptop" or somebody was leeching my wireless. My own fault for not re-securing it, but i still printed several pages of goatse on his shared printer before i booted him off my network. Not really related at all, but a mildly amusing network printer story if there ever were such a thing.
"Sic Semper Tyrannosaurus Rex."
http://csrc.nist.gov/nissc/2000/proceedings/papers/034.pdf
Basically, 9 years ago we showed some remarkably embarassing features in Xerox multifunction printer/copiers/faxes. Including SNMP access to plaintext passwords!
I wonder how many of these "features" are still there.
It's pretty rare for people to change the MAC address of their devices, even on devices that allow it. And since each vendor is allocated its own prefix(es) it's pretty straightforward to narrow your search to e.g. Xerox MAC addresses. With a bit of research it's likely you'd be able to find even narrower prefixes that the vendor has allocated to particular types of printers.
don't you want to control that printer and it's agent from outside the bank? To do that you got to do a lot more things, like change firewall/router rules and routing tablesI think that's what the installation of the wireless router is for.
Also, don't forget that all your criticisms are implying that the bank has implemented good security practices across the board. We like to think they do, but in reality they're probably only a little bit better than the majority of companies. Very few people require authentication before providing an address via DHCP, for example, or do MAC filtering on every port (or even enough ports to make it meaningful).
Finally, the post you responded to didn't say the guys just walked in out of the blue without any prior research. That seems unlikely. Also why would you need to give your wireless router an IP on their network if it's sitting in the network path? Ideally you wouldn't be using an off-the-shelf one, but I think that'd be fine on most networks, particularly since most people consider their internal cabling to be pretty trustworthy.
Your other main criticism is they'd need to take down the network in order to patch into it, but that would only take a few minutes. If you lose a part of your network are you going to go "everyone quick, to the restroom!" to find the culprit? Very improbable. Most likely it would take a minute or two before the network admins even identified the switches/routers that were having problems, then it'd take another few minutes for them to physically go to the devices and check the cables are plugged in (the first place most people would start looking once they established that the link was down). And by this time it's probably come back up again.
Now if their security guys are really hardcore they might decide to go through the roof and check out the entire length of the network cable to make sure it hasn't been tampered with, but 99% of people are just going to "monitor it and see if it happens again" -- which it wouldn't. Then it'd be forgotten about.
Well? What did the department do with it? You can't just waste that...
Last I checked (which was a few minutes ago), every current Konica Minolta office product has every feature you're talking about ("office products" excludes the printers, SOHO toys and production equipment (like the C6500 mentioned in another thread - which being a production machine shouldn't be anywhere near a corporate or public network - it's a print room machine!)). Data erasure policies for RAM and HDD, Active Directory login, security logging, internal firewall... plus many you didn't mention such as encryption of all data on the HDD, lockouts to prevent password guessing and the ability to completely disable ANY port it opens.
Yes I do work for Konica Minolta (as a programmer)
Of course, the vast majority of our customers don't even change the default admin password let alone set up anything else. And honestly at least SOME of the blame for this probably rests on our pre-sales consultants for not even mentioning these features before the equipment is installed, but we do have them.
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan