|
|
|
Multifunction Printers: The Forgotten Security Risk
By: Ryan Naraine
2008-02-13
Article Rating:  / 51
There are 11 user comments on this Network Security & Hardware story.
Multifunction Printers: The Forgotten Security Risk (
Page 1 of 2 ) Networked MFPs can introduce significant risk to your business. Are you paying attention?
That networked multifunction printer sitting innocently in the corner of your office just might be the most significant entry point for hackers to hijack sensitive data from your business.
Even worse, security researchers warn, they are a forgotten risk in every enterprise, featuring hardware that combines several functions in a single unitfax, copier, printer and scanner.
"A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform," said Brendan O'Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006.
"When I was doing my research, I had dozens and dozens of MFDs under my control, and no one in IT knew what I was doing. The idea of an attacker having equipment completely under their control on a company's internal network is a frightening proposition," O'Connor said in an interview with eWEEK.
eWEEK rates the most influential people in security. See who made the list.
The networked printers, scanners and copiers, he said, are no longer dumb machines sitting in a corner performing mundane tasks. In his mind, IT administrators should start paying serious attention to vulnerabilities and weaknesses in printersand start preparing patch- and risk-management strategies.
O'Connor, who works in information security for a major financial services company, said printers should be treated the same as every other asset because, for businesses that depend on a paper trail, something as simple as a denial-of-service attack can be debilitating.
During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printercomplete with an
AMD
processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL.
He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine.
"All the information that's being printed, scanned and faxed is susceptible to theft," O'Connor said. "Once under an attacker's control, it is simple to covertly save copies of other people's data on the machine's hard drive. With built-in network, fax/modem and network capabilities, there are a variety of ways to smuggle the stolen information out of an organization once it's been captured.
A Xerox spokesperson said that O'Connor had alerted the company of the vulnerability in January 2006, and that Xerox shipped a patch in Feburary 2006, several months before the Black Hat event.
| | Reader Comments: Multifunction Printers: The Forgotten Security Risk | | >>> Post your comment now!
| | You clearly need the whole articleTo quote in a round about way
"O'Conner alerted Xerox in January 2006 and a patch was shipped in February, before the Black Hat event" Posted At: 02-17-08
By: not farook | | | | | | What about network traffic?An additional issue, with simple printers as well as complex, is network security. There seem to be very few options for encryption of the print data... Posted At: 02-14-08
By: Bob Rasmussen | | | | | | The sky is fallingSo, if I understand this article, we are vulnerable, but we cannot do anything about it. Talk to Sharp, Ricoh, Xerox,a and the like? They don't... Posted At: 02-14-08
By: Farokh Monajem | | | | | | | | | | | | Setting dg to 0.0.0.0Setting the dg to 0.0.0.0 is not a bad idea. I just checked out the printers on my work and the default gateway was set to 0.0.0.0. But unfortunately... Posted At: 02-14-08
By: Joey | | | | | | Stopping external accessCould it not be as simple as giving these devices a Gateway address of 0.0.0.0? Posted At: 02-14-08
By: Dan | | | | | | So true . . .So true! I was at a deposition at a major law firm recently. Their wireless and "guest" wireless networks were locked down tighter than a drum. ... Posted At: 02-13-08
By: Anonymous | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������xr㶲(;; Yڦ(Rw{)ٖmX�gR_"!1Ej/Y/:/qt�M�)L&�'cK���}C�$\:a�uE1�]zo�oHRso��Lß6rJ��9AF#:,o�)>�#Yntj5�w�6GlJ{'A���:':D�PL9
ΜM}ٜi�7'x21X��m 8��)h|J@�~5{O�m�(EL�H.X(�:$c� 8x}ؾ䙿S=xe3��g;1m( �!)��X^�P~�D:玿kd;�F~�J�
z.Y^�7C2��pj9�W�y7vn��/��@Z��#\HȾwԇ�ɿ�Tm>���{$�-�Xd�UjD��b#2�!cS;T*%T*63-暚u@<͖}%ꎫc�"S�9ˡ,kFp�t6eݺ;Rr
bT�J#0my,^<ʜy^wfF_Bۿ\\� #K��ܖ4a*^w6 Wwy@.�{A~A7"�DT-�JR,�DAa|Omi= u+P縋T獒A7jJ^�Ղz��H.#=N-bG`F`%�pbQB�>�/ՠ}s}ɠ}rq|i!|#%ĠT
PAbPKe+5gxo[/:nNo_.9n;W>9ݐIYF0pg�Z�>-�=:$?,rO]����j�izT뒒{idM>Ժp|9!9Io'|:8%\��ٞBd}#8�;�7#R(y7ri��4(�=-8��X@.@ש#04kiV5aX�[R#E/��
'�|�!8Q%K%lO%U~u��_����F�nZ`KZ#J�,ՎJPPW
G�UL@�F�̶-a[ 9���k�k
=0�t@6Ol~g0�HӀ�=���M��/6}@˥ya>5 @�
L��^a� ;pc~XK�PǷcS7a��L2f��˥Oa4�ӫd�J
t>
��{8dOͱI
v/EE.MLXZfFV+�zJT*%y<�p�X"�@�7w
�R&a+\Ҩ^`O�g�Au,0Hj��j>ӧ>���\,\�CzKpe0�{]w+\kOμ���+�۟2E�<&�&;%OLOw�2H#yVA�K��dcS�yt$�d=*��ZAU�[�+;ߝ?�F����]h���6B\4�<�`S��5 �p&�7+(SU_̥uV*Y~b9'��-_Z)D@�\iY�5)ŅUj l<��`Z{O:^�-9�(W`
>v�3Go�a7X[�RkE}���애]pHA�j`��ѝ;#ؐCKA=eVS4�sܷ�V{uPD��`m{^ac7U�[o&bF)�ڽ-[''&h6�͋y�L�[tgᄻ,P��?|�,y1�#���h �g&z�>[C:u{Jp qctذ/h{�~�U-dže0"30�څϺ5#�yߴs�b,Onxz�F�oa:X
GqOX�s��X wl>K7ѹdNkl s
�ܒ;��!f@퇫�䛗h>���Lkni>Zdi�6Gu"�M."8&�08zGd�D\kOZ+~�_l6AcVg\T`u�Ej9�a�^�&=Y[^�ǭ�i�mmKQ
C�^F<�H�3$K!OdЮ%�H�zR7:fbG6}l;?/c�i�)ր
�EXqkTV�#\+�jJHJr�D�
�n!�ȍF#~{�$<@{EY,,.mDmX�J��/EXᐫiQ]A�Ӏ)h9Ll�\x&\_�Ƌ��b(Q^J�+�Gs�;"ʌg�b<�q{q>'F{��l�xG��tmδWՄθU
@N�� -8NM�6fF}���@>2TiɊ
+> tZb()�I; �
��D�U4qyh7(۞jjj'x4Hđ�ʝ?5q_P3@|P4Hn�I@r;~O;a#5
�ƈ���OJڣR> KYdI.��]
Vs�O��W�iOu�tzWuPG9���Zy%<��Z�Թ:mrHG��-?>\JnO5�4�gsV��; J@�F�G$9Ĩڈ}dvnvΥ�^6xv>������2C�4r��z]�ۺ9\/~.{7��\x#xdG�=�u9:dQ:�at�ݺ F>o6�eETHFRoO�ݺ�m@ylZӽK3JN|綱��yp2ű*i�9�%(5�Au�(�AB|Hy��0�Jw�鳁�VK�i^c��`|x �R̅2O4������Y�E^K=êJ^uof�u@:']��c'8�^l��wʜW#��,`��v�,N�͓!WC>0l{Vѵl�iOd@Tӧ�]��Z�zlm�H{O�,Aik8�n�;=/PV#w#h*5 s̕M/
fX%�k4!i\�u9hߐէ�ar�Js $j5hxy#s�6��O>O�4dkD�7�9!M[wfܓ�̆�O_۽dNii[nơ8�-��J=~l/Nt6�D�yWe[{#V_�3$]Bn/<4��L|d4
,f��Jf�87K�^hΠtu꾫w}~{!F.
o81쯌s�t�k~\ϸ�
]ek��^R�=n
/o}VZ�tCq�B� n^-/^TRJ>\Fϫ����< h�`�#F0�NùĢ7sf�mef7c6!{� Rb��:ƛ;
a!3̑"�+Q9�m&Ƕs�$�9gr0
�@�*�v<�..߭[���^ "B�;DJ��<[N#>[4��2�UCn�� õcV��3Ǵ
/gc+ޙU>�=dT�|���}167zP�<*�TI)ˠ�T�'�u�ga��%q$9c�>$Jr^-��?CƉ��:aI�=B�Q�K H>�-}F4��z�V/�i%EڶY|u-\�fJ/] �#J �T �uSЂQe^�W"m' ��5n�3�:ɓ\"x�ߔ-g�5c'��g��x��/H%�7Q�%�.�pN#b�J^�?�j3*Jw%P{]�Kh�u͖^�)8.D7,�Lds$U��
6g�@ʶPyu-#��iq6���or:_�ڒɻf$Ԣ]�l;gv<ұ�_{jy?`Y+�cZmNMK:55%��*�zw
8X�= ��%�0D@DKP�ʎ�bB�Re]RKiTɲ�8V �)�Pq!�k�~~~~gB+B]}/4�M*v��ˣ.:8�e��ՒPKf�߿;$/;.wQg\�j�@�/:;��$M:5=:,}�)*3�.v-f�&H��0�"��%�D�s?�7͗ߒJEj,7 c6_kMW_�X=eD'A^�I�usW�L�z6(fU2˗J`I�(uYpq3�2)g:��Xrc��0�(*�tĤ4j>X`!`Є7uV�0gV$�H� �$�p$�M3�xh>>p2�xuP�ǀ�\^k'1t�A�B^ZL�҉A[��>[�0�D:fv oB|��~_7I'3HgvA�n3V݆�J
V~Z�ڳP+�i(DPʽR8
0�$}6��X�����vcKȽ%�b>��x�
Ϫ}d���sxG*g@Ģt��6
�"1@)�G@`:� :e'\)e7w`)BtY8�xk&O[܀(�}���6�$ TTce։KA+q�iqnrGN^G��3ƚe#�� �*ǍE��./>��l?�.2dPqy`b�Kf�lǝiЃ,AcNfAfQi�:�T�sN
Ts\:$VG ]N1x}��[?[}�FɆ��t[`�ɥs!XXx+�pU9
&u0ZΧ|E[T8cvX��Kxm>�D�X1�Эq0e�_B
��?')3ʭ�K-t���&��`
���̀9kjJJ"28gqQܨ�o��F�Xqe�Z}CqK
#/RVI�p
K�Taa�n0LtAY>bi'�c,6_ON~W����-�b>��9[�}9}j4ֻ� |9czY4���1ɸM
xaw�!ᷭ�6�DNla�')9a#�i��\N�f'�W �yF}o=�ٽ_y9Rm{Ω=�4/F{Ѽ`e\|fV-+J5V\Hvi~X�ev��)h�D.4[M�@&��<�DҟSP̏X1[1�J�FVG#lEI6p�,|C5��,?t1ІMQ_ŌVb\>fFI"U�S�u���}(@�@L5B�J $�73\#�P�|*Cs7��R<ۣV7n@kl��ܓ;ҡ�@+qܖix"_{L'`�O� c
N6r�t�w'7Az$G7_p�
7�_
�6a^FGZq1G)�}po�;Cd2z�ޘ�7�,�Ie%+�փފ> sF@Yb+G��� j�l�/� �ul߶?#=:}ۿl��>zx�d䊫{P^H���/-u�ܙ&.ajO}#Qp
��HO�=���+�o>w�~�-=]B�mסu珽ň
tC{!�sBG)T�"ʑf`�NNoo�"FTw2OaD�P=S!bX"b\1��Q(pxy�~3&giE<
,i
P�Om�!�a��|S&H�b1Ř!c�iւiĘ5{�s>9N�S�cs�9%��K��q�y�Ek/߿�JS<-rA�3�"��V2����![C1P?R&F�p_�fF��5�A"�\epX<6�)4o��r[f�p͒w~�6t Q-��tV#ߛ�iw�_x,ȏ݊mݜ�(�8�&�Zi����H$bcx=9` �ݯ5�{2���{x�C�bwT�I`R
tX(r!xW`NJR�/|.OܡGaYݬ(f/#��\iL$�R,
��?h$5G쌆�dScx��u�\�S;�k/?
iv?�On:׃N�/{x Zӷ`+ds;tһtֹj_t�&hD㟳KmmP0"�e�HV�ũi�'\�_ñd̀W.�}U�X\m�iӳ0?�.7`J�E_CT�ώab>31s:=ij6�7>;ٙϋ_99q�Σ�}5�Z�[�+�!U9jmn8~�(�hO!vɀڹf`RZ%eFPsFPkF
ߤR[�=(e#�O���(?I/?�e��P!k^t;f4��g:W�NF?3?AK��]1?]�7c]͂�f�f�f�͠.g7>G2�?f_@EF?��](f^e�U�\]e_��O/C@25u�}\C7@?7�Ӈ3߇3?��d�(%�ׇ���a|�3�1�P~U�{AmF@��ugk\8r �gs�z)W@^dկ�?e�,��R�zvA�X^gR51
�ߧdnleڹ>�R+��]YKxUy%k{V�[M�2}W��c|:�,y&�?żY}摍J�4pk 7"[y�DY�s$��&}:=Wv l+Jx.*ܲ�}:aOkXE 9K8qaNL_�B��r(s#hR�{H9ѭ]2�zI[FԟYaj�=���pmঠǻ_-0.: 7W]}⪿�.om;yp#Ҫ}��\�;Yo�%P.#mZs�geǃf.ţu>�xZLظҲpoQV"
#�<�@ij1��Zq`�~Mg=�!훫uf�ŬQd,o(x7`eL�jf2�
@aw8aI5�@)(��?@,�(�s��[^F%�l��B�#V��"�g
M[`Nɤc��6�V{�[1gSDE`p䃷�a8Sk,|�ӄ�w�YAD˸���hdգh9ĉiSr�O�~���yOg\Rwy<%�3!M{2�oTx| "%m�T0Yz�Y'l�yl*b)mb�rف:9�]Z$G��|��+�#�˹f>r�Axa�p��t�Wp;?�X�=�ap[��!�$>�Lg %o�xKW|��7�w0�
sp�%1>ixe�>}v1�1)��#a��Z�Oc,'h
r2&�z�Fd}#dFHi9qg_�w!�Aǯb�T#��9&�Azfz5uڹ
X�Qg�mrQœj@@|vそu>5=v*c�vԥ�D@z!_�1H�wbix!F22XO~9L��mb�[>/y$_�%͞�fK(9:L^$Dh�?0vא$]R��
�`8wO�#;Sd��W�ul>:kw�o�n�+}:.T&(z5H�;�1(�}0%�%�X^�AG�}FV^\�D/n�
gey]�� ,pd+HY$��o�\*��IxrHQ`C>��~؋L����{G}ows�HbWQ6��q?ؖ�/fS�C��>X��f�c约1cbV!qd��f�ӧ�[7-[@�F'p�G!-X��<�wVulםD3
d�d��9a7gy1�1$(+nOvG�X
�>��4'كl4=h�}欹�(߆ْ[0�F>5o>�(Na2)1��&�ic��dxE���#b[p!@�PE5f*R8W
KQ)YLAł=�3�M.`���
p�cQ�"*��x[9�ċGgW\2ZP/ɬ�Q|1Lo�5/#=ZF&k8~m=fs|iW��f�JpC)�tO˞˰��CNx3AW�X��(K#�LMΠps::h݆G���H�xЬ;�[�Qy6 <ЩAM.vQEeN܌�1i#]®54-�n�veѩi�ywTs
\7B+G]y�c�¨+�7q;s�[_O��{0�|6,�l�p/>&ǸK��81V`w^?קg[8K cd.
,�$(zo,�Ŵ0��&iEȣd`C�v�_Ή~ph;?�҈�A� wVǰ�=BO��Pw��O80�Ux|�-h\�}{Mv,S0#r̟X)��zW�N~LʅcaP^٢�C�"d�1#Gj0\t�H
d9[܈_م�4&�3�k��/��YH~>��� �r"r*]x�WI"c؛B}� Ӟ$�_yfȅ�v1,#6x�ĊN�?t^�k/o�?X�Yj O<|�X�Ep(�']f�+FRq�OT|_���.{7�X�%uMթ�.~hIwz7$��!w:=\_z
S%ȕ/��2f�oU�AޜFCQ+j5�N"�i~ۊX�#iQf�rYORե{l'�@�On6%c(\ɜK�RSk85X�jSߥL�FNÇc�>dgLt�)�2)v}md-c6�C-{�_X(��
|
Network Security & Hardware 
