[ISN] Multifunction Printers: The Forgotten Security Risk

From: InfoSec News (alerts@private)
Date: Thu Feb 14 2008 - 09:33:42 PST


http://www.eweek.com/c/a/Printers/Multifunction-Printers-The-Forgotten-Security-Risk/

By Ryan Naraine
eWEEK.com
2008-02-13 

Networked MFPs can introduce significant risk to your business.  Are you 
paying attention?

That networked multifunction printer sitting innocently in the corner of 
your office just might be the most significant entry point for hackers 
to hijack sensitive data from your business.

Even worse, security researchers warn, they are a forgotten risk in 
every enterprise, featuring hardware that combines several functions in 
a single unitfax, copier, printer and scanner.

"A compromised [multifunction printer] is dangerous for a number of 
reasons. First and foremost, no one in the enterprise pays attention to 
them. That lack of visibility makes for a very attractive attack 
platform," said Brendan O'Connor, a researcher who was among the first 
to call attention to the printer security risk during a Black Hat talk 
in 2006.

"When I was doing my research, I had dozens and dozens of MFDs under my 
control, and no one in IT knew what I was doing. The idea of an attacker 
having equipment completely under their control on a company's internal 
network is a frightening proposition," O'Connor said in an interview 
with eWEEK.

The networked printers, scanners and copiers, he said, are no longer 
dumb machines sitting in a corner performing mundane tasks. In his mind, 
IT administrators should start paying serious attention to 
vulnerabilities and weaknesses in printersand start preparing patch- and 
risk-management strategies.

O'Connor, who works in information security for a major financial 
services company, said printers should be treated the same as every 
other asset because, for businesses that depend on a paper trail, 
something as simple as a denial-of-service attack can be debilitating.

During his Black Hat presentation in 2006, O'Connor picked apart the 
security model of a Xerox WorkCentre MFP, showing how the device 
operated more like a low-end server or workstation than a copier or 
printercomplete with an AMD processor, 256MB of SDRAM and an 80GB hard 
drive and running Linux, Apache and PostGreSQL.

He showed how the authentication on the device's Web interface can be 
easily bypassed to launch commands to completely hijack a new Xerox 
WorkCentre machine.

"All the information that's being printed, scanned and faxed is 
susceptible to theft," O'Connor said. "Once under an attacker's control, 
it is simple to covertly save copies of other people's data on the 
machine's hard drive. With built-in network, fax/modem and network 
capabilities, there are a variety of ways to smuggle the stolen 
information out of an organization once it's been captured.

Another attack scenario is password and credentials theft in an 
organization.

"If users need to enter a password for certain operations, like scanning 
to e-mail or network folders and shares, an attacker can capture 
usernames and passwords to gain further access to network resources, he 
said.

O'Connor warned that some MFDs have public IP addresses that can be 
found with a clever Google search queries.

"A slightly more sophisticated attack would be to use CSRF [Cross Site 
Request Forgery].  In a CSRF attack, if a user views a specially crafted 
Web page, an attacker can trick the user's Web browser into launching an 
attack against an internal printer. If done properly, a CSRF attack can 
be invisible to the victim and give an external attacker control over an 
internal device," he said.

There's also the scenario of someone posing as a copier technician to 
get physical access to a device. Done properly, an attacker can 
completely compromise a vulnerable device in minutes, he said, citing 
the insider threat as another significant risk to printer security.

Thomas Ptacek, principal and founder at New York-based penetration 
testing firm Matasano Security, said the risk is more than just 
theoretical. "Should my mom be worried that a hacker is living in her 
printer? No. But, if you're a Fortune 500 company, vulnerable printers 
on your network is a scary thing," Ptacek said in an interview with 
eWEEK.

"There are several of these printers on every floor of every business, 
basically working as file servers for important documents," Ptacek said. 
"Printers deal with much more sensitive information than your typical 
file or storage server, but they get no protection whatsoever. They're 
altogether ignored as a risk on the network. Do you know of anyone 
looking for patches for a printer? People underestimate how dangerous 
these things are."

In the financial and health sectors, for example, he said a skilled 
hacker with unfiltered access to a print server can do serious damage.

"He can hide himself in there with a rootkit, capture all the documents 
passing through the print server. He can take over the printer and 
basically have full control of every action. It's the perfect catbird 
seat," Ptacek said.

Ptacek, who provides security consulting services to several major 
software vendors, said businesses should be worried about 
printer-specific malware.

"Think about it: Printers are the perfect target for things like network 
worms, he said. It's usually a [monoculture] because you buy them by the 
truckloads and install them with the same default settings, with exactly 
the same footprint and no run-time security. You run a command on one 
printer; you can run that command on all 1,000 printers in the 
enterprise."

Even though his Black Hat presentation in 2006 raised awareness around 
the issue, O'Connor said the problems remain because printer 
manufacturers have not invested in security during the code creation 
process.

"Some vendors have taken some good steps as far as trying to release 
more secure code and giving the end user more visibility and 
manageability with regard to the operation of the devices," O'Connor 
said. "Other vendorswhich I would rather not namehave hyped new security 
features and software on their MFDs [multifunction devices.] These 
things make for great sales points and press releases but do not address 
the real problem in my opinion. From what I can tell, most vendors 
haven't done much of anything."

He recommended that IT administrators make it a priority to talk to 
vendors about what's being done to protect multifunction devices.

"Ask things like, Do they do a security review of their code? he said. 
Do they issue patches and fixes for security bugs? Do they have tools 
for the IT staff to better manage the devices and gain some visibility 
into what's going on under the hood?

"Unfortunately, if your vendor is uncooperative, there's not a lot you 
can do. You will most likely break your support contract if you start 
poking around yourself," he said.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Feb 14 2008 - 09:39:10 PST