Your printer is a computer... - Tech Support Forums

Theophylact · August 8th, 2006, 12:01 PM

Quote:

LAS VEGAS--The multifunction printers found in many offices are not dumb devices, but are computers that can be hacked, a security expert has warned. In a presentation at the Black Hat security conference, Brendan O'Connor, a security expert at an unnamed U.S. financial company, showed how he could gain control over a Xerox device and wreak all kinds of havoc.

"Stop treating them as printers. Treat them as servers, as workstations," O'Connor said in his presentation on Thursday. Printers should be part of a company's patch program and be carefully managed, not forgotten by IT and handled by the most junior person on staff, he said.

In the case of the Xerox system, O'Connor said the multifunction device was, in essence, a Linux server. He was able to exploit a weakness in the security of the device and gain full control of the machine. O'Connor noted that he also looked at devices from other manufacturers and found similar security faults, but did not list any names.

Once a printer was under his control, O'Connor said he would be able to use it to map an organization's internal network--a situation that could help stage further attacks. The breach gave him access to any of the information printed, copied or faxed from the device. He could also change the internal job counter--which can reduce, or increase, a company's bill if the device is leased, he said.

The printer break-in also enables a number of practical jokes, such as sending print and scan jobs to arbitrary workers' desktops, O'Connor said. Also, devices could be programmed to include, for example, an image of a paper clip on every print, fax or copy, ultimately driving office staffers to take the machine apart looking for the paper clip.

One of the weaknesses in the Xerox system is an unsecured boot loader, the technology that loads the basic software on the device, O'Connor said. Other flaws lie in the device's Web interface and in the availability of services such as the Simple Network Management Protocol and Telnet, he said.

O'Connor informed Xerox of the problems in January. The company did issue a fix for its WorkCentre 200 series, it said in a statement. "Thanks to Brendan's efforts, we were able to post a patch for our customers in mid-January which fixes the issues," a Xerox representative said in an e-mailed statement.

However, O'Connor believes the fix is inadequate, and therefore he decided to make the presentation at Black Hat. The threat is real, even though printers are mostly on internal networks, he said. "There is always the insider threat," O'Connor said.

(Hat tip to Bruce Schneier.)

M_Six · August 8th, 2006, 03:08 PM

Hey Theo.

Good tip. We deal with these issues all the time here. Networked printers need to be behind a firewall and have security set, otherwise they mysteriously start spewing out mountains of gibberish strewn paper.

usslindstrom · August 9th, 2006, 12:12 AM

Oh man, I would LOVE to get my hands on the knowledge to do that kinda' stuff. I have some serious practical jokes that are comin' to mind right now.

GiPilot12 · August 9th, 2006, 12:26 AM

That could get annoying if someone got into your printer.

Mickwish · August 9th, 2006, 12:31 AM

Don't forget wireless network printers either. I managed to accidentally connect to an unsecured wireless networked printer at the school across the road from where I used to live. So I sent them a nice print job explaining that they should secure it, and included my email address. Got a nice email back thanking me and stating they had fixed it.

Could have been some nasty pranks by someone, though.

Cheers
Mick