Password and Credentials Theft
Another attack scenario is password and credentials theft in an organization.
O'Connor warned that some MFDs have public IP addresses that can be found with a clever Google search queries. "A slightly more sophisticated attack would be to use CSRF [Cross Site Request Forgery]. In a CSRF attack, if a user views a specially crafted Web page, an attacker can trick the user's Web browser into launching an attack against an internal printer. If done properly, a CSRF attack can be invisible to the victim and give an external attacker control over an internal device," he said.
There's also the scenario of someone posing as a copier technician to get physical access to a device. Done properly, an attacker can completely compromise a vulnerable device in minutes, he said, citing the insider threat as another significant risk to printer security. The anti-malware industry tries to save itself. Read more here. Thomas Ptacek, principal and founder at New York-based penetration testing firm Matasano Security, said the risk is more than just theoretical.
"Should my mom be worried that a hacker is living in her printer? No. But, if you're a Fortune 500 company, vulnerable printers on your network is a scary thing," Ptacek said in an interview with eWEEK.
"There are several of these printers on every floor of every business, basically working as file servers for important documents," Ptacek said. "Printers deal with much more sensitive information than your typical file or storage server, but they get no protection whatsoever. They're altogether ignored as a risk on the network. Do you know of anyone looking for patches for a printer? People underestimate how dangerous these things are."
In the financial and health sectors, for example, he said a skilled hacker with unfiltered access to a print server can do serious damage.
"He can hide himself in there with a rootkit, capture all the documents passing through the print server. He can take over the printer and basically have full control of every action. It's the perfect catbird seat," Ptacek said.
Ptacek, who provides security consulting services to several major software vendors, said businesses should be worried about printer-specific malware. "Think about it: Printers are the perfect target for things like network worms," he said. "It's usually a [monoculture] because you buy them by the truckloads and install them with the same default settings, with exactly the same footprint and no run-time security. You run a command on one printer; you can run that command on all 1,000 printers in the enterprise."
Even though his Black Hat presentation in 2006 raised awareness around the issue, O'Connor said the problems remain because printer manufacturers have not invested in security during the code creation process.
"Some vendors have taken some good steps as far as trying to release more secure code and giving the end user more visibility and manageability with regard to the operation of the devices," O'Connor said. "Other vendors-which I would rather not name-have hyped new security features and software on their MFDs [multifunction devices.] These things make for great sales points and press releases but do not address the real problem in my opinion. From what I can tell, most vendors haven't done much of anything."
He recommended that IT administrators make it a priority to talk to vendors about what's being done to protect multifunction devices. "Ask things like, Do they do a security review of their code?" he said. "Do they issue patches and fixes for security bugs? Do they have tools for the IT staff to better manage the devices and gain some visibility into what's going on under the hood?
"Unfortunately, if your vendor is uncooperative, there's not a lot you can do. You will most likely break your support contract if you start poking around yourself," he said.