Slashdot Mirror
Multifunction Printers — The Forgotten Security Risk?
eweekhickins writes to share an article in eWeek highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy. "During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer--complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine."
Are we going to have a bot net of machines that print our spam for us?
Remove the toner from the printer and you only get white hats.
Engineering is the art of compromise.
This is actually a very good point, a network is only as strong as its weakest link (or firewall). While each machine on a network may be secure, hijacking a printer can do the same amount of damage as hacking any other machine on the network (save actual servers w/ data on them). Imagine hijacking a printer on a network and then having it send out spam (hey, its on superreliabledomain.com, no reason to hastily toss it in the spam bucket), or arp poisoning to listen in on other traffic on the network it should have no business with. Any device connected to a network should meet a certain standard of security, it only takes one weak link to really mess things up.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
As noted, this has been covered before. If you are not doing your best to segment your network for security reasons, then you probably deserve to learn about this one the hard way. EVERYTHING now has the smarts/hardware to launch/spread/spawn a virus attack on your network. Every day I get one or two messages about this and mobile computing being the 'number one' threat to our networks.
FerCrissakes, every USB stick has that ability if you have not done your work/research etc.
But still, by far, the most dangerous thing on your network is the end user(s)...
That's life, it's the way the cookie crumbles, and it's how you're going to lose brownie points with the PHB at work.
Support NYCountryLawyer RIAA vs People
I'm calling you on this because I think it's very improbable without a laptop in the physical location. Sure it broadcasts like crazy in a LAN, but there's a HUGE leap from getting on the printer to turning it into your bot from a remote destination. Did the print server have a public IP?
Some details please.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Let's work with the concept that a multifunction machine get pwned for a moment. Instead of all the ideas of using it to root around on your servers, or join a botnet, what if the vulnerability did something as innocuous as FTP/SMTP (or even fax) images of scanned/printed documents to a server on the outside world?
Get a machine in a place that does financial or medical records and now you have a steady stream of confidential information going somewhere in the form of soc. security numbers, bank account numbers, etc. all in scanned form.
Since the machine probably already does this on a regular basis under normal use, it's possible that such an exploit could continue for a while before it would ever be discovered.
Wasn't one of the first Mac viruses spread by a mac printer?
There was a famous trojan that infected apple laser printers via postscript... but I don't think it 'spread' itself so it wasn't really a virus, nor would it qualify as a Mac virus because it didn't infect Macs, just some Apple Printers.
In any case I think it just lived on the printer. Although one of its effects was to change the password, something that could only be done a limited number of times for some demented reason, which meant eventually the printer would lock you out, and you couldn't reset the password without swapping in a bios or pram, or something along those lines.
Nonetheless, yes, laserprinters have been 'servers' in their own right for over 20 years, so this is hardly news. The same is true of NAS, Routers, managed switched, and so forth. And as for an 'IT security strategy" really, what can you do? Be aware its possible, and limit your attack surfaces to a level appropriate to the risk of them being compromised and the level of damage they could do if compromised.
For most of us, "Don't put your printer on the internet" is probably sufficient"IT security strategy"... although for higher security installations, something more detailed would be required.