Printer Security

At BlackHat last week, Brendan O'Connor warned about the dangers of insecure printers:

"Stop treating them as printers. Treat them as servers, as workstations," O'Connor said in his presentation on Thursday. Printers should be part of a company's patch program and be carefully managed, not forgotten by IT and handled by the most junior person on staff, he said.

I remember the L0pht doing work on printer vulnerabilities, and ways to attack networks via the printers, years ago. But the point is still valid and bears repeating: printers are computers, and have vulnerabilities like any other computers.

Once a printer was under his control, O'Connor said he would be able to use it to map an organization's internal network--a situation that could help stage further attacks. The breach gave him access to any of the information printed, copied or faxed from the device. He could also change the internal job counter--which can reduce, or increase, a company's bill if the device is leased, he said.

The printer break-in also enables a number of practical jokes, such as sending print and scan jobs to arbitrary workers' desktops, O'Connor said. Also, devices could be programmed to include, for example, an image of a paper clip on every print, fax or copy, ultimately driving office staffers to take the machine apart looking for the paper clip.

Getting copies of all printed documents is definitely a security vulnerability, but I think the biggest threat is that the printers are inside the network, and are a more-trusted launching pad for onward attacks.

One of the weaknesses in the Xerox system is an unsecured boot loader, the technology that loads the basic software on the device, O'Connor said. Other flaws lie in the device's Web interface and in the availability of services such as the Simple Network Management Protocol and Telnet, he said.

O'Connor informed Xerox of the problems in January. The company did issue a fix for its WorkCentre 200 series, it said in a statement. "Thanks to Brendan's efforts, we were able to post a patch for our customers in mid-January which fixes the issues," a Xerox representative said in an e-mailed statement.

One of the reasons this is a particularly nasty problem is that people don't update their printer software. Want to bet approximately 0% of the printer's users installed that patch? And what about printers whose code can't be patched?

EDITED TO ADD (8/7): O'Connor's name corrected.

Posted on August 7, 2006 at 10:59 AM • 27 Comments

Comments

Pat CahalanAugust 7, 2006 12:32 PM

I'm reminded of an incident where campus received an RIAA complaint due to a machine serving out copies of "The Two Towers" and it turned out the compromised host was a copy machine running an embedded NT4 operating system.

XyzAugust 7, 2006 12:39 PM

This reminds me of the time one of the networkable LCD projectors at school caught a worm virus.

crackAugust 7, 2006 12:45 PM

I recently talked to a tech who services Xerox printer/copiers. He said that the devices have a hard drive that keeps most everything the print/copy on it. He said someone could change that out and collect the data easily. Said that his customers include banks. Your information is everywhere.

PJAugust 7, 2006 12:56 PM

The best reason I've found for using openwrt on my wireless routers is the security updates - neither Dell or Linksys offer upgrades or fixes in anywhere near as timely a manner as the open source openwrt guys. The last Dell firmware update was in 2004. openwrt on the other hand now has WPA2 support, not to mention being a fully flexible networked device... asterisk @home anyone? web server? CUPS?

WandererAugust 7, 2006 2:23 PM

Doing nmap '--randomize-hosts' type searches for hidden web sites is sort of a hoby of mine. It's fascinating what turns up sometimes. I once stumbled across a wide open HP printer at the Los Alamos National Laboratory. Little old me, a nobody, found it purely by accident. I apparently had access to all the logs and could have used it as a network printer, although I got spooked and didn't really poke around. I can't even discount the idea that it was there purposefully as a honeypot.

Still, this is a disturbing thing to me in light of the fact that the Los Alamos mission statement starts with this....

"The mission of Los Alamos National Laboratory is national security.

Most Los Alamos employees are working to help ensure the safety and reliability of the nuclear weapons in our country's stockpile."

Does anyone else see the lack of wisdom in running even a "honeypot" out of Los Alamos?

Hmmmm.... I wonder if I could have cut myself orders for a few hundred pouinds of weapons grade Uranium and a couple rockets?

grumpy_sysadminAugust 7, 2006 5:53 PM

This is so been there (http://www.sccs.swarthmore.edu/org/phoenix/2002/2002-03-28/news/printing.php) , done that (http://eclipsed.net/~gr/April1.txt). Of course, I was dumb enough to admit I'd done it (http://www.sccs.swarthmore.edu/users/02/agr/).

AdrianAugust 7, 2006 6:45 PM

Its all very well to say that but from experience you just CANNOT.

The vendors stick their heads in the sand and refuse to do anything with their devices, bloody great multi-function printer/photocopier/scanners have embedded Windows NT or 2000 machines in them at appalling patch levels and you cannot get at them to patch them. The ones with embedded Linux aren't much better.

The best you can do is firewall them off so that only printing traffic can get to them.

quincunxAugust 7, 2006 6:47 PM

"Most Los Alamos employees are working to help ensure the safety and reliability of the nuclear weapons in our country's stockpile."

For those familiar with Richard Feynman, this anecdote is especially funny.

"Said that his customers include banks. Your information is everywhere."

That's why I always print white on white.

"This reminds me of the time one of the networkable LCD projectors at school caught a worm virus."

Me too!

EvanAugust 7, 2006 7:37 PM

IIRC Phenoelit did some work there too, circa DEFCON 0a...

Just dug out my CD... FX (of phenoelit) did a presentation on hacking embedded systems, a substantial portion of which was dedicated to HP printers. I can post the (PDF) slide show if anyone is interested.

Hehe... that was the year GOBBLES was big. Funniest presentation I've ever seen...

RickAugust 7, 2006 8:17 PM

@Wanderer
>Does anyone else see the lack of wisdom in running even a "honeypot" out of Los Alamos?

Maybe it wasn't really at Los Alamos, but was only claiming to be there. Unless you knew someone on-site at Los Alamos, and they watched the printer print a page as directed from your remote location, how would you really know?

Yes, I can see some wisdom in trying to attract flies by claiming to be a workstation or a printer at Los Alamos. I can see wisdom in claiming to be a device at NSA, any major financial firm, and many similar sites.

nico suaveAugust 8, 2006 3:16 AM

One vendor I've been working with recently (and I don't know how much I can talk about) does nice-to-hear things with security: up to 9 times overwrite on the disk as soon as a document is output (fax, copy, print, email, etc), sign in and searching the directory encryted via (MS) kerberos, not even partition info on the hard disks, HTTP admin interface disabled, and HTTPS admin interface accessible from specified IP addresses, older versions of SNMP disabled...
And probably more that I don't remember, but the fact that they passed our security tests means that some vendors are able to produce secure (to a point, given that its networked) network-connected devices if there's incentive to do so.

Former Security TechnicianAugust 8, 2006 3:17 AM

Been there!

SECURITY TECHNICIAN: "... and here's this week's list of Windows machines that absolutely must be patched or taken off the network. They're all vulnerable to the worm of the week. Some to the worm of three weeks ago."
HEAD OF WINDOWS SUPPORT: "Okay, we'll check 'em out. Hey, wait, your scan must be broken. This one isn't a Windows system. It's a printer."
ST: "Let me check ... nope, nmap says it's a Windows system. What kind of printer do you think it is?"
HWS: "It's the big fancy Canon printer up in Graphics."
ST: "Well, it's running Windows. And needs patched."
HWS: "We don't want to break it. I'll call Canon."

(time passes)

ST: "Hey, HWS. What happened to that Canon printer running Windows?"
HWS: "Uh ... Canon doesn't have any updates for it."
ST: "Yeah, but Microsoft does. Can we install them?"
HWS: "It doesn't have a display or a keyboard or mouse. We can't log in to it."
ST: "Well, it is vulnerable to the exploit of the week ..."

(metasploit metasploit metasploit)
(vnc vnc vnc)
(windows update windows update windows update)

ST: "Okay, it's patched."

bobAugust 8, 2006 7:23 AM

If I have firewall software on my PC intended to prevent unauthorized communications, and Windows "phones home" without my permission, isnt that a violation of DMCA?

XyzAugust 8, 2006 8:18 AM

"If I have firewall software on my PC intended to prevent unauthorized communications, and Windows "phones home" without my permission, isnt that a violation of DMCA?"

No. The DMCA has to do with copyrights. You're probably thinking of 18 USC ยง 1030.

CuriousAugust 8, 2006 8:19 AM

"Just dug out my CD... FX (of phenoelit) did a presentation on hacking embedded systems, a substantial portion of which was dedicated to HP printers. I can post the (PDF) slide show if anyone is interested."

Please do so. I am very interested.

BTW: anyone has link to L0pth research about printer security Schneier mentioned?

Thanks!

Davi OttenheimerAugust 9, 2006 1:30 AM

If it's connected to the network it's potentially vulnerable. If it's connected and then the firmware never updated, as is often the case...

Shame of it is that the updates are so easy to centrally manage, the admin pages easy to lock, and the exploits easy to mitigate, but these steps are rarely taken. At least O'Connor focused on some high-end equipment since DoS or damage to low-end printers in a large enterprise is usually taken by users as just "another outage" and they already have resiliance through access to newer or diff printers, etc.

The heart of the issue, or at least what I have noted in the past, is difficulty in determining the real value of a remote printer to its local users. Few people assign much value, or pay attention to them, unless they are down at the very moment that they need something critical. Thus it becomes hard to know from a distance whether the printer you are about to test/exploit is a dusty relic sitting in an empty hallway that no one knows about, or something mission critical like an order confirmation or warehouse "pick" system (where each missing page translates directly into $$$ loss, calculated by the minute).

Davi OttenheimerAugust 9, 2006 1:35 AM

"Want to bet approximately 0% of the printer's users installed that patch? And what about printers whose code can't be patched?"

Reminds me of the good-intentioned hackers who plug into a network, fire-up an enterprise printer manager console, and start randomly updating any printer they can ping that doesn't challenge them for authorization. They might even automate the fixes with a simple script so it runs silently in the background or overnight.

You could be surprised how many companies have patched printers and have no idea why or by who...

Christoph ZurniedenAugust 10, 2006 9:21 AM

It always made me wonder, what such a "full PC in a printer" is good for.
So:
> up to 9 times overwrite on the disk as soon as a document is output (fax, copy, print, email, etc),

Why does a printer need non-volatile memory for temporary data in the first place?
I can understand that you need some counters for the statistics and an error-logger but you can keep that in some MiBs of cheap flash chips.

> sign in and searching the directory encryted via (MS) kerberos,

Not needed without a disk.

> not even partition info on the hard disks,

No disk at all means no partition info.

> HTTP admin interface disabled, and HTTPS admin interface accessible from specified IP addresses, older versions of SNMP disabled...

A printer is normaly a big box with public access (there are exceptions of course e.g the printer in the heavily locked server room which is used as a WORM-logger for security related notes or that forgotten box mentioned by Davi Ottenheimer). What do you need that highly complex remote administration system (a HTTP-server!) for?

> but the fact that they passed our security tests means [...]

... not much. These are very closed systems, nearly a black box for the tester and testing a black box is practically impossible. You would have to rip it appart, both hard- and software. That costs an arm and a leg and voids warranty too.

You can firewall the printer, let nothing thru except the documents and hope that e.g. the PostScript(TM) interpreter has no flaw, but you can't do anything to secure the data on the harddrive except using none at all in the first place.
"Hi, I'm the new printer guy, I have to exchange some parts of your printer."
And off he goes with the harddrive, or the complete embeded PC if the data on the hardrive is encoded. Or a keylogger is installed. Or a trojan. Such printers break regulary and in short intervalls, just wait for the phone-call and you have your chance to get physical access.
And now you do not even need physical access anymore.
*sigh*


CZ

Jim HyslopAugust 11, 2006 10:01 PM

> Why does a printer need non-volatile memory for temporary data in the first place?

I would surmise it's to allow the printer to spool many huge print jobs. I haven't priced memory lately, but (ahem) if memory serves hard drives are significantly cheaper per GB than RAM.

Christoph ZurniedenAugust 12, 2006 9:06 PM

> I would surmise it's to allow the printer to spool many huge print jobs. I haven't priced memory lately, but (ahem) if memory serves hard drives are significantly cheaper per GB than RAM.

And sending back a "QUEUE FULL" would be cheaper and above all: more secure.

The feature "fire&forget" has it's pricetag but that pricetag is unknown to the buyers in most cases and the companies selling this feature rarely advertise the disadvantages.
This secrecy is a problem because most of the mentioned security problems are solved quite easily, e.g put the plotter for the precious blueprints in a locked room, watch the maintainer while he is repairing the printer (OK, that needs a watcher who knows what to look for and is therefore expensive), rip out the hard drive (voids warranty and the printer probably stops working) and some more. You might even calculate the value of the data and ignore the whole mess if you found out,that the value of the data is well below the value of the paper it's printed on.
But you cannot do anything of the above if you do not even know that you have a problem and the vendors hide the security implications carefully. Before you cite R. J. Hanlon: do you really think the manufacturer are to stupid to understand the side-effects of non-volatile memory in connection with security?


CZ

AnthonyJanuary 2, 2007 7:02 PM

I found a site with the best prices ever on printers and Fax Machines. Money Back guarantee! They even provide a Free Fax Machine
and Free 800 Fax number with Every printer Purchase!
www.electronicsconsumerguide.com

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..