At BlackHat last week, Brendan O'Connor warned about the dangers of insecure printers:
"Stop treating them as printers. Treat them as servers, as workstations," O'Connor said in his presentation on Thursday. Printers should be part of a company's patch program and be carefully managed, not forgotten by IT and handled by the most junior person on staff, he said.
I remember the L0pht doing work on printer vulnerabilities, and ways to attack networks via the printers, years ago. But the point is still valid and bears repeating: printers are computers, and have vulnerabilities like any other computers.
Once a printer was under his control, O'Connor said he would be able to use it to map an organization's internal network--a situation that could help stage further attacks. The breach gave him access to any of the information printed, copied or faxed from the device. He could also change the internal job counter--which can reduce, or increase, a company's bill if the device is leased, he said.
The printer break-in also enables a number of practical jokes, such as sending print and scan jobs to arbitrary workers' desktops, O'Connor said. Also, devices could be programmed to include, for example, an image of a paper clip on every print, fax or copy, ultimately driving office staffers to take the machine apart looking for the paper clip.
Getting copies of all printed documents is definitely a security vulnerability, but I think the biggest threat is that the printers are inside the network, and are a more-trusted launching pad for onward attacks.
One of the weaknesses in the Xerox system is an unsecured boot loader, the technology that loads the basic software on the device, O'Connor said. Other flaws lie in the device's Web interface and in the availability of services such as the Simple Network Management Protocol and Telnet, he said.
O'Connor informed Xerox of the problems in January. The company did issue a fix for its WorkCentre 200 series, it said in a statement. "Thanks to Brendan's efforts, we were able to post a patch for our customers in mid-January which fixes the issues," a Xerox representative said in an e-mailed statement.
One of the reasons this is a particularly nasty problem is that people don't update their printer software. Want to bet approximately 0% of the printer's users installed that patch? And what about printers whose code can't be patched?
EDITED TO ADD (8/7): O'Connor's name corrected.
Posted on August 7, 2006 at 10:59 AM • 30 Comments