Printers Vulnerable To Security Threats

jcatcw writes "Networked printers are more vulnerable to attack than many organizations realize. Symantec has logged vulnerabilities in five brands of network printers. Printers outside firewalls, for ease of remote printing, may also be open to easy remote code execution. They can be possible launching pads for attacks on the rest of the network. Disabling services that aren't needed and keeping up with patches are first steps to securing them." From the article: "Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.... [N]etworked printers need to be treated like servers or workstations for security purposes — not like dumb peripherals."

Identifying viruses

[Calinous]

One of my colleague told me about a printer that started printing page after page of funny characters. It seems there was a virus in the network, trying to write himself on all shares - of which the printer had one.
      How much is able one of those printers to do? Printers dedicated to big offices have a pretty powerful processor, lots of RAM, hard drive. Taking control of such a printer could be just as useful for a black-hat cracker as taking control of a computer there, with the bonus that printers aren't usual suspects for infections

Double duh

[Anonymous Coward]

Printers have been network servers for a long time now. I have a 1995 vintage networked laser from Digital Equipment Corporation (rest in pieces) and its manual tells the exact procedure to get to the command line, by using a default password and telnt. Yes, this printer has a unix-like command line interface for configuring its print server functions, and anyone who knows the IP address and the password can get in. Needless to say I've been careful to keep the printer behind my firewall box.

Re:This is what happened to Iraq.

[Anonymous Coward]

Just because you read it soemwhere doesn't mean it's true [theregister.co.uk] Try googling "gulf war printer virus"

Two areas of concern here

[RealProgrammer]

In security we balance likelihood of attack, likely damage, and cost to mitigate the threat. The cost to mitigate includes labor, time, materials, and increased difficulty to use (or decreased availability of) the asset. For printers there are at least two such areas of concern (people model them as vectors or attack trees, variously).

1. telnetting in
   1. For a base of operations
   2. As an aid in information gathering
2. Denial of service
   1. Printing garbage as an annoyance
   2. Causing apparent hardware failure, distracting service personnel from real attacks
   3. Damaging the device with invalid NVRAM
3. Loss of integrity: modify interpreter to change printing behavior in some mission-sensitive way.

For example, you could display "028*: Radon Discharge Hazard" or some other nonsense trouble symptoms at random intervals on the control panel. The techs in charge would then have to deal with that problem, while you attack their database server or other target. With a modified Postscript interpreter, you could insert random words or even carefully selected phrases in documents as they printed, using the same font that the document prints. How often do people proofread the text of a document they just proofread on screen? Only if they printed it to proofread it, and even then they might not notice. Also, printers in network environments often have file storage space, which makes them a target both to corrupt, if their storage is used in production. If the area is not used in production, it can be used by a rogue to hide things, since typically no one looks at that storage area if it's not in production.

Re:Identifying viruses

[ajs318]

Or from switching on the printer after the instruction to enter graphics mode has been sent ..... resulting in the bitmaps which would make up the graphics being treated as ASCII codes, and printed in the printer's native font.

But no; I have seen a printer chuck out pages of junk, starting with "This program requires Microsoft Windows" or something, and it was due to an infected Windows machine trying to copy the virus to every SMB share it could see. Including the printer (which was on a SAMBA share). This was in the Windows '98 days, so the problem most probably doesn't occur nowadays. (We actually ditched all our Windows '98 machines in favour of what was then called Mandrake shortly afterward.)

Re:Campus Printers

[drinkypoo]

Yeah, I've seen that done before - It entirely depends on students printing via locked-down (usually Windows) print servers. Just note the printer model, download the driver, and install the printer directly on your laptop. Bam, free and unlimited printing.

The people at some schools are not idiots and can prevent you from doing this. Some printers actually have access controls, although people seldom bother to use them. Set an admin password, and disallow network printing from any but the print server addresses. Also if the printer itself is not on the same network as the clients, but instead connected only to the print server(s), then you're not going to get far with your little scheme.

HP Isn't the only brand

[howlinmonkey]

I work in the networked printer/multifunction industry. While HP is popular on desktops, other brands are gaining, and rule in the 50ppm+ arena. These devices come from other vendors like Canon, Sharp, Kyocera and Xerox. These multifunction devices provide scan, fax and print services and run a variety of OS's from VxWorks to Solaris. Yes Johnny, that means Windows XP embedded as well. Although I have to say, I haven't seen a DOS based controller in about 6 years.

We routinely receive questions about security, and help patch and configure these boxes to meet network security requirements as closely as possible. Unfortunately, we have limited access to the core OS, so we go as far as we can and workaround the rest. Many vendors, especially those using Windows, provide controller patches with security fixes included. EFI [efi.com] even allows an admin to RDP in and use Windows Update to keep current

These devices aren't perfect, but they have come a long way. That being said, if you haven't heard about this in the past, you have no business being in charge of network security. Multifunction devices today are just as powerful as your desktops and servers, running the same software. Admin control is limited, and vulnerabilities are a reality - note the recent Xerox vulnerability [xerox.com]

I would say it is important to stay in contact with your local vendor/dealer to stay on top of these issues. We work with these products everyday, and receive regular notices about security issues and solutions, not to mention a wide variety of other product data. We are a resource, just like any other outside consultant, to help you get and stay secure.