Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multifunction Printers — The Forgotten Security Risk?

Posted by ScuttleMonkey on from the just-start-with-locks-on-the-doors dept.

eweekhickins writes to share an article in eWeek highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy. "During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer--complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine."

29 of 153 comments (clear)

  1. First virus by IdeaMan · · Score: 4, Interesting

    Wasn't one of the first Mac viruses spread by a mac printer?

    --
    They ARE out to get you simply because They are in it for themselves and they don't care about you.
    1. Re:First virus by vux984 · · Score: 5, Insightful

      Wasn't one of the first Mac viruses spread by a mac printer?

      There was a famous trojan that infected apple laser printers via postscript... but I don't think it 'spread' itself so it wasn't really a virus, nor would it qualify as a Mac virus because it didn't infect Macs, just some Apple Printers.

      In any case I think it just lived on the printer. Although one of its effects was to change the password, something that could only be done a limited number of times for some demented reason, which meant eventually the printer would lock you out, and you couldn't reset the password without swapping in a bios or pram, or something along those lines.

      Nonetheless, yes, laserprinters have been 'servers' in their own right for over 20 years, so this is hardly news. The same is true of NAS, Routers, managed switched, and so forth. And as for an 'IT security strategy" really, what can you do? Be aware its possible, and limit your attack surfaces to a level appropriate to the risk of them being compromised and the level of damage they could do if compromised.

      For most of us, "Don't put your printer on the internet" is probably sufficient"IT security strategy"... although for higher security installations, something more detailed would be required.

    2. Re:First virus by Anonymous Coward · · Score: 3, Interesting

      The funny thing is, when I was setting up our office network I put the printers in their own network (no router), with the print server being the only host able to access both the printer network and the office network. All print jobs were routed through the print server. All scan jobs were available on the print server's file system.

      The sysadmin who came in after me decided this was a boneheaded decision made by a network NAZI, replaced all my Linux boxen with Windows boxen, moved the printers onto the workstation network... and then hacked up a bunch of procedures (as in, words on a page that a human has to act upon) for "securing" the printers so that only marketing people can get to the (expensive per page) colour printer, for example. The security works by only configuring the printer on the desktops of the people who are supposed to be allowed to use it.

      When I point out the possibility of PostScript viruses infecting the printers and possibly turning them into vectors of attack, I'm labelled "paranoid" and dismissed.

      After all, it will "never happen to us."

      In the meantime, the administrator is continually policing desktops to remove unauthorised installations of the printer driver for the colour printer, while we keep burning about $100/month on unauthorised use of that resource.

      That's the problem with Microsoft Windows zealots. It's the 99% of them that give the other 1% a bad name.

    3. Re:First virus by arth1 · · Score: 4, Funny

      Dunno if it was the first network printer hack, but I remember having great fun telnetting to our networked printers more than a decade ago, making the tiny LCD display say "Insert Coin".

    4. Re:First virus by Mister+Liberty · · Score: 3, Funny

      Dunno if it was the first network printer hack, but I remember having great fun telnetting to our networked printers more than a decade ago, making the tiny LCD display say "Insert Coin".
      You should have made that 'Sugar Y/N/Double'


    5. Re:First virus by Anonymous Coward · · Score: 4, Funny

      "Dunno if it was the first network printer hack, but I remember having great fun telnetting to our networked printers more than a decade ago, making the tiny LCD display say "Insert Coin"."

      Fun for you, sure. YOU didn't have to clean the coins out of the gears.

    6. Re:First virus by |Cozmo| · · Score: 3, Funny

      That's awesome. I did something similiar to the verifone credit card machine at my first job. I changed the "swipe card" prompt to say "access denied" and everyone thought the machine was broken. They didn't think it was nearly as funny as I did.

    7. Re:First virus by Trogre · · Score: 3, Informative

      It means that some moron has sent a job to the printer in US Letter again. Just hit OK to have it print from the A4 tray.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  2. So what's the potential threat? by daveywest · · Score: 5, Funny

    Are we going to have a bot net of machines that print our spam for us?

    1. Re:So what's the potential threat? by Adriax · · Score: 4, Funny

      Fear the Goatse printer virus.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    2. Re:So what's the potential threat? by KublaiKhan · · Score: 5, Insightful

      More evil would be a system that forwards the documents printed to another location....

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    3. Re:So what's the potential threat? by AuMatar · · Score: 4, Funny

      No, they print out a ransom note, demanding $1,000,000,000 or they'll print out all our spam. Management will pay, because at the current cost of ink the billion is cheap.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    4. Re:So what's the potential threat? by whoever57 · · Score: 3, Funny

      Fear the Goatse printer virus.
      Oh, that is just pure evil! Imagine a printer that randomly inserted a small number of Goatse pages in its output.
      --
      The real "Libtards" are the Libertarians!
    5. Re:So what's the potential threat? by El+Lobo · · Score: 3, Interesting
      I know your'e trying to be funny, but at my university, our neighbour department has an (almost) wide open Xerox Workcenter 7245. I say *almost* because they have their Apache with the default 11111 password. Last april the 1rst I printed a 50 pages documetnt (100 copies) to their printer. It was actually the Administrator's guide for the Xerox Workcenter, as a pdf. To this day, they are still asking who the hell missused their printer that way... ;-)

      On a serious side, that machine can send a scanned document to any mail address using some external SMTP or an internal one (sendmail). If I were a spammer, i could make my day.

      --
      It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
    6. Re:So what's the potential threat? by Ungrounded+Lightning · · Score: 3, Interesting

      Better yet: A texture map that is virtually invisible to the naked eye but becomes visible when copied by a xerographic process (like the "void" markings on some checks).

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  3. Fool the black hats! by EmbeddedJanitor · · Score: 5, Funny

    Remove the toner from the printer and you only get white hats.

    --
    Engineering is the art of compromise.
  4. So what? by SpiritGod21 · · Score: 3, Interesting

    The biggest issue isn't a lack of (software or physical) security regarding the machine, but a lack of a security policy in these instances. At our institution, machines have unique names, unique passwords (when they have to scan to a network drive), and are behind the campus firewall. But a user could get one, hook it up (putting it behind the firewall) and not change the default password and we'd 1) be none the wiser and 2) have no control over the machine. If a department gets one, it's their printer, not ours.

    Still, with client-side antivirus and firewalls, and the control we have over the servers (for a multifunction printer to be able to scan to a server, it has to be given specific access, which doesn't happen lightly), it doesn't seem like being able to access the web interface can pose a whole lot of a threat. An attacker could potentially waste a ream of paper or two, a bit of toner, but I don't foresee any major consequences.

  5. Weakest Link by ookabooka · · Score: 5, Insightful

    This is actually a very good point, a network is only as strong as its weakest link (or firewall). While each machine on a network may be secure, hijacking a printer can do the same amount of damage as hacking any other machine on the network (save actual servers w/ data on them). Imagine hijacking a printer on a network and then having it send out spam (hey, its on superreliabledomain.com, no reason to hastily toss it in the spam bucket), or arp poisoning to listen in on other traffic on the network it should have no business with. Any device connected to a network should meet a certain standard of security, it only takes one weak link to really mess things up.

    --
    If you are about to mod me down, keep in mind that this post was most likely sarcastic.
    1. Re:Weakest Link by gotzero · · Score: 3, Funny

      Thankfully, all of the multi-function print centers I have at my job are never working long enough at one time to get hijacked. Maybe the horrible up-times were a gift from the manufacturers to prevent these attacks!

  6. Perhaps I'm jaded, but is this news? by zappepcs · · Score: 5, Insightful

    As noted, this has been covered before. If you are not doing your best to segment your network for security reasons, then you probably deserve to learn about this one the hard way. EVERYTHING now has the smarts/hardware to launch/spread/spawn a virus attack on your network. Every day I get one or two messages about this and mobile computing being the 'number one' threat to our networks.

    FerCrissakes, every USB stick has that ability if you have not done your work/research etc.

    But still, by far, the most dangerous thing on your network is the end user(s)...

    That's life, it's the way the cookie crumbles, and it's how you're going to lose brownie points with the PHB at work.

    --
    Support NYCountryLawyer RIAA vs People
  7. Hit it, The Paper by Digi-John · · Score: 3, Funny

    My dot-matrix parallel printer will never turn on me like that!
    Screeeeeeeech

    --
    Klingon programs don't timeshare, they battle for supremacy.
  8. The cleverest hacks are in front of your nose by postbigbang · · Score: 4, Interesting

    Lexmark, Xerox, the list goes on. How about a Linksys WRT54G? How many devices out there can be easily rooted and owned? The list is endless. Who would suspect a logon attempt or a slow port scan from a printer, or a volume-page scanner?

    Maybe your VoIP system's very happy you linked it to your Active Directory with an administrative logon. Seen any weird LDAP requests recently? Had to reboot your RIP engine recently? Surprise!

    Diligence is its own reward.

    --
    ---- Teach Peace. It's Cheaper Than War.
  9. Re:ABout time by mpapet · · Score: 5, Insightful

    I'm calling you on this because I think it's very improbable without a laptop in the physical location. Sure it broadcasts like crazy in a LAN, but there's a HUGE leap from getting on the printer to turning it into your bot from a remote destination. Did the print server have a public IP?

    Some details please.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  10. How about physical document security instead? by Radon360 · · Score: 5, Interesting

    Let's work with the concept that a multifunction machine get pwned for a moment. Instead of all the ideas of using it to root around on your servers, or join a botnet, what if the vulnerability did something as innocuous as FTP/SMTP (or even fax) images of scanned/printed documents to a server on the outside world?

    Get a machine in a place that does financial or medical records and now you have a steady stream of confidential information going somewhere in the form of soc. security numbers, bank account numbers, etc. all in scanned form.

    Since the machine probably already does this on a regular basis under normal use, it's possible that such an exploit could continue for a while before it would ever be discovered.

  11. Re:Not simply PSC then by JoeZeppy · · Score: 3, Interesting
    I take it from the summary that simple print-scan-copy machines aren't what is being mentioned. Instead, referring to those smart printers that "can access all your companies files" -- couldn't figure how that was a good idea when I saw the ads myself.

    We have bunch of these Xeroxes that have - wait for it - an XP workstation hanging off them! No idea what the advantage to that is. You can't use it as a print server, because only ten people at a time can have a connection to it, so as soon as it starts to get heavily used, users complain that they can't connect to it. There's some kind of management console on it that allows you to reprint documents. Yours or your managers I presume. And the management console needs local admin rights to run.

    So we run around locking down all the users workstations, but we have a shared workstation in the corner logged in as local admin with no screen saver. Thanks, Xerox! And they don't run Windows update either, you have to get patches from EFI, the compapny that builds the workstations and sells them to Xerox. We don't know how to support them, and neither do the Xerox reps.

    So we create a server queue, that points to the workstation, that points to the printer. WTF? Where's the value added there? But we can manage our own print jobs! So? Why do you want to? You can't click print again if you need another copy?

    And the drivers don't play nice. Very fun when you have over a hundred queues installed on each print server. the other day, they spent all morning trying to install drivers for one of these crap sandwiches. Every time they installed the driver the server would die.

    And every floor has 3 or 4 of them, because each department needs their own. so half of them are totally underused. But we're saving money on all the printers we replaced! You mean the ones that migrated to users desks? We have people with a Laserjet 8000 sitting on a table in their office, sucking up power and $90 toner cartridges, so Manager McPrivileged doesn't have to walk down the hall to print out his 5 emails a day.

    We keep telling the Xerox sales rep that we hate her. She thinks we're kidding.

  12. At my work (a bank)... by netsavior · · Score: 4, Funny

    We have a $45,000 high quality high volume scan/printer that is a paperweight.

    They purchased it for scanning confidential documents. The hitch is that there is only 1 way to get documents off of this printer: A public non-protected network share... This is basically against the law for a bank.

    I suggested that I could set up a private network and they could securely upload docs to the proper place with the right security, however that plan was nixed for being "non-standard"
    The result is that now they consult me when buying a pencil sharpener because they don't know how it will affect network security.

  13. Re:Not simply PSC then by Teilo · · Score: 3, Interesting

    What you are describing is an EFI Fiery RIP. This is not just a "workstation hanging off of the printer." It is doing the actual work of rasterizing the Postscript. Get rid of it, and your Xerox is not even a dumb printer. It won't print at all.

    EFI Fiery controllers generally run a version of XP Embedded, which is itself locked down in a variety of ways, but sometimes not. They often have a proprietary motherboard with unique RIP hardware. We have several here. One, driving a Canon CLC 4000, does not even have enough of Windows present to install a driver (VNC in this case).

    Another, driving a Konica BizHub Pro 6500 is almost wide open, except that we actually had to pay for the privilege of hooking up a monitor and keyboard. That's right, they flash the motherboard in such a way that the machine is headless, unless you pay extra.

    --
    Mir tut es leid, Menschen daß Einfältigfehlersuchenbaumfolgendenaffen sind.
  14. Re:ABout time by GNU(slash)Nickname · · Score: 4, Funny

    I doubt the banks DNS is going to give the laptop an IP Yep, pretty sure you're right about that.
  15. Re:It ain't news. by flink · · Score: 3, Informative

    Many larger/more sophisticated printers these days have a "print to mailbox" option that causes the document to remain spooled on the printer indefinitely instead of immediately printed. You have to be physically at the printer and enter your user ID and PIN to start your print job. So that mitigates the hanging around the printer attack, still doesn't help if the printer gets r00ted though.