|
|
|
Multifunction Printers: The Forgotten Security Risk
By: Ryan Naraine
2008-02-13
Article Rating:  / 51
There are 11 user comments on this Network Security & Hardware story.
Multifunction Printers: The Forgotten Security Risk - Password and Credentials Theft (
Page 2 of 2 )
Another attack scenario is password and credentials theft in an organization.
"If users need to enter a password for certain operations, like scanning to e-mail or network folders and shares, an attacker can capture usernames and passwords to gain further access to network resources, he said.
O'Connor warned that some MFDs have public IP addresses that can be found with a clever Google search queries.
"A slightly more sophisticated attack would be to use CSRF [Cross Site Request Forgery]. In a CSRF attack, if a user views a specially crafted Web page, an attacker can trick the user's Web browser into launching an attack against an internal printer. If done properly, a CSRF attack can be invisible to the victim and give an external attacker control over an internal device," he said.
There's also the scenario of someone posing as a copier technician to get physical access to a device. Done properly, an attacker can completely compromise a vulnerable device in minutes, he said, citing the insider threat as another significant risk to printer security.
The anti-malware industry tries to save itself. Read more here.
Thomas Ptacek, principal and founder at New York-based penetration testing firm Matasano Security, said the risk is more than just theoretical.
"Should my mom be worried that a hacker is living in her printer? No. But, if you're a Fortune 500 company, vulnerable printers on your network is a scary thing," Ptacek said in an interview with eWEEK.
"There are several of these printers on every floor of every business, basically working as file servers for important documents," Ptacek said. "Printers deal with much more sensitive information than your typical file or storage server, but they get no protection whatsoever. They're altogether ignored as a risk on the network. Do you know of anyone looking for patches for a printer? People underestimate how dangerous these things are."
In the financial and health sectors, for example, he said a skilled hacker with unfiltered access to a print server can do serious damage.
"He can hide himself in there with a rootkit, capture all the documents passing through the print server. He can take over the printer and basically have full control of every action. It's the perfect catbird seat," Ptacek said.
Ptacek, who provides security consulting services to several major software vendors, said businesses should be worried about printer-specific malware.
"Think about it: Printers are the perfect target for things like network worms, he said. It's usually a [monoculture] because you buy them by the truckloads and install them with the same default settings, with exactly the same footprint and no run-time security. You run a command on one printer; you can run that command on all 1,000 printers in the enterprise."
Even though his Black Hat presentation in 2006 raised awareness around the issue, O'Connor said the problems remain because printer manufacturers have not invested in security during the code creation process.
"Some vendors have taken some good steps as far as trying to release more secure code and giving the end user more visibility and manageability with regard to the operation of the devices," O'Connor said. "Other vendorswhich I would rather not namehave hyped new security features and software on their MFDs [multifunction devices.] These things make for great sales points and press releases but do not address the real problem in my opinion. From what I can tell, most vendors haven't done much of anything."
He recommended that IT administrators make it a priority to talk to vendors about what's being done to protect multifunction devices.
"Ask things like, Do they do a security review of their code? he said. Do they issue patches and fixes for security bugs? Do they have tools for the IT staff to better manage the devices and gain some visibility into what's going on under the hood?
"Unfortunately, if your vendor is uncooperative, there's not a lot you can do. You will most likely break your support contract if you start poking around yourself," he said.
| | Reader Comments: Multifunction Printers: The Forgotten Security Risk | | >>> Post your comment now!
| | You clearly need the whole articleTo quote in a round about way
"O'Conner alerted Xerox in January 2006 and a patch was shipped in February, before the Black Hat event" Posted At: 02-17-08
By: not farook | | | | | | What about network traffic?An additional issue, with simple printers as well as complex, is network security. There seem to be very few options for encryption of the print data... Posted At: 02-14-08
By: Bob Rasmussen | | | | | | The sky is fallingSo, if I understand this article, we are vulnerable, but we cannot do anything about it. Talk to Sharp, Ricoh, Xerox,a and the like? They don't... Posted At: 02-14-08
By: Farokh Monajem | | | | | | | | | | | | Setting dg to 0.0.0.0Setting the dg to 0.0.0.0 is not a bad idea. I just checked out the printers on my work and the default gateway was set to 0.0.0.0. But unfortunately... Posted At: 02-14-08
By: Joey | | | | | | Stopping external accessCould it not be as simple as giving these devices a Gateway address of 0.0.0.0? Posted At: 02-14-08
By: Dan | | | | | | So true . . .So true! I was at a deposition at a major law firm recently. Their wireless and "guest" wireless networks were locked down tighter than a drum. ... Posted At: 02-13-08
By: Anonymous | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������xv0܃y쉱1
HB:IBv;眳X6mgns��O$�6{z?og&�TU*J7�~(�V4Ú+[:lm骫?�'{歯i3Wv5m�Qu�E�HwGѴb��Su\��> \>g-Vȿ��jXx£aig�v
={w6;wֿEYu&G|O�u7�u��ж�G^Q|�Cq={�rع|+Zw��;A�7@l&3W`Z�LT)VRc�g"��ԂN�Y�_'W5}(�~o[G%Y�rIBv78Pq
OG�4XYNbn\�:7~�:�'9wfٚY^�ZM��r�vf�#?>�W�wgw/�w]nYcGVd]F
'V|k!/v��f&y]��,��Rm�l^� ;d�zO7�2͇) xW:�ų���2p�3P[((vs$��Rv'V|BXE?
~fA�m�34�o[#3FE [-�u�@8k:Q<::bmӖ_#D��t_!X]=7�Sf0�M�5s,E��g05A�Mu\� 1hbdk���v.f\Ѿ,�A\^ P�.P�_&[��jƫwEM �R%��=VE�A.2)i!�) 6=aDDd/\�~�_5&ÓAwڪ9Q[�k+F]M]h臘%\zmMZmoz�~�+>14Y`Ip-K.qĹ:|StkգtmR7F�*JGE{P�h
S�n`qX&aѡJ]�<��7atge4L9R,+4�}t>G�Ⴢ$>(hFƋ?Һ0|E�����H/0i�\|�gG�ݺ~L�>��Wh��}c{N3'��h$�nh��-DAw50Ie{e"3 9��G۽�ޚA���QΚ#ax`yQ�&C��=�v@�OAX��꺶�U{:�@=�90�PO�l�22L0(�WN'G�%Ϸ"Z}g%>] cWII�4eA|t�"AђFe��(�4� �gs�X"M"''�`[Πw�%w$]\VpB`�TݞH'XSC{�:㱡�Y .�ՙdn�i��&O�0O)iH\U�~L�s�ԟ#Fs�~5h=l@�:���f3|�fZ>kw��i\X#,TyӦ3�93,X0N
uJB+H5L��´L4X~Ħ�㘆�{�r�G'.-9�an5�|D���蹁m>`T�4fsSڦaM�S6U\gsF@B/S2 L_&AB5
6d:$Wtͳ�pt̝�ȭ}3n�>�CYo5�X�S�cX`DP�t7<��é=bFJ�V�>zh'ѫ>Ug�H!tX+n�ڽ/p7�J��R[k��+C
I �2L�qjeqjPKqmLGe+-ԅ@&�(hKke�zhx0$�lU6��Gq�n�Qy�m�{8O1�3l`(�]RQMTYF4X"Kr-�5�m.L!0("H 5��tgbˡ\2a�AеM�Wy4�Td|f['Z`�˞�R.C2""0V�}"Pa�I!�&fb>h[��*^=�W( ��-��݅CɁU|uhc(pp2wV�=-�.ߌ8緝�a�y+��@o�TuJ
D�m�dž �xH#{Wq=�)_ o0kBlXHb1"N 6�Dsp�a,Be1� F=M~̦�tɊ A0JqЫU+Ú@�%@B����V��FD�eql30S�T(�&8��
+v���N�e0\磉�CLК+=2Ђt'.��-b[$I�S<&ƽ3A銫NʼnPۉ�u�ap:�0HE&1A|Z)4��
y< DQ,IT1�9�j
+"*�[8$P2:ETℛ.E^a~�V��Kt-W`�"'uu�q~ᇆ9*#
ߛh�ho=_HzTEp7C�Z\j8ǙA�7
cUQ@Px�C{<��8+!�g꼻��fКmm'hp`�>6Q�ԇ�K>8X1{h'0N�SSm (�ȳeK R)F<}$rb=�7Xb�WQaso'(��bx�h���!.�<�hS�t`I�ms>ӽ{$�ho EZ7L�?帠l�ЀY-
q2w=\�� Q`9ީV�Ӊ_m�0S-�O(Վ"~cλgM"�ͿY+Q3��QT�t�cڷ�Β��Jg�~pp㉊\XB�_6mfH^nb2U{Y@o*1�
3-ӛU+|�J_DS>�3t�*|85V k�Z�}1͋r
S[; ȝΨ20:4�}Y@�Q/r%%CLfQ/b��>~Ί�
9L�
bG:L)z߬AJ`%tf�=M�X��_�$v-Mboc�c�~�ϝ`3 f�Z~hܼ6;ar1$���_NW5ZE`-j0/(�W.�,:S�
z47@a�.�s��D|z{P�JL*~a5#l\s�[�oT�JT�9HQ=EmP=QN9͓0r2],JCQ^<
h95P@hr[�\
Sm{CumfbvU٘+TdsdT�Β֬v�K�*;rV/Lv�_;)Ib"��0KQ"�|p&1�0S
Nn4^;M��Js-R�try#ڔTrT+V^D�D\J29MLt�u4� J �t�IJ�L5�5;HOB�^2xzT),���?<0Ȉ��<<�1q~�Ny��MYxG "TšX݂�u
`Po?�/8NM�.jF:~��*V`
~R4Q�r(&�T/ P`� ݗШ��NBQx*N<}x�bbj��<�I=e;�?1Pц|�}$9g>�eY.vAlkZ5aO;.�reh���OSrHTWae�O.�LWRtT��/$��X9�H((V�"���d[\lpDd�-9@KEoj&W[
xr~c, ,{��J+*`=2�
�T�S�\;�hn>�'.���P�$�/I4lK2��:=AAb�z']w{68&%Ş�y{�ϱh0q�sby^; �3o\t/�Ya^q\i\c�0MC�~�g�J�gB�øDo3�)#h3�J��F���I�]�Qt̮^7{ա�.; JCfqD*'w\owdO{[vܬA.�!�ޠw< h�ڗ4�YG#�!B^vڷ)&�ǔ�L�oRh$CYhX#�:k#Cg/�h!o�Y1���/�3>\zA_46Fπa6j#�n4n��2ka���
�ju}`�-�$58��1 %��kNGu7O`�{k�x-�����|�ea�LFrE�=#�i͘�9/QMNS�):�Qrup/Er�}�<\<_exL+��'BI{p3hъqvY#]��a~w"Sۇ��.;r�{cdw$y!@N-��k��n�E�ɦz�;wdjhn�Yk�Nyh =O[�?Er�clڏA�Hcq
$�zڦԥ٪b
t�x<ƒN)'tJ���=�)�jr$Ÿ'2�IeJ4N2�uI@?�Mx$0HPWhdlA7 N�dž5>ܻ8
.^߹mD20�i6]
VM3_Ә\b�tOۗDY�+o�x$6t7>E�
f[J*'?��ᑿ�z�s:I�Li��9&�Q\C=;VY<: t7�ꇤk�vΰvp��w؎+sz�O+�sG�Ww
.'zCvHGoYMR�1J},Ȅ�S)A�/gx9K�Q!fPx.$�4@O%x�wq+ k2"|%3a�qm�**�'q)zpM�IX�rFF签"�E&p�^x9:p�X!��Gs��He3Do�Ӽ2hјAxnt�U}WQuw�~@!.Mo81+x��W��^3O��~KC�w}K;i3OK+T_I\~Yh�r;ث%ًJQɇymY�z�S@�Do"i�z0soK�"jcۓ�Uf�P�~1aO O>
q�1驾EW)��2� mw�V9g;$9��6@(8T�x�\�[w5%pRx15�y�(�h4R
�g.�lh��r["
Ұk3G!�3qZ'$$|+؊w�oO_��o+N{kE�|;̔-u�\O�/5[�%p��W�_C_c�JM$O4y˭ L HP��xۑ+Җxы'E�|~wgK|!3ÂUi93& (DLs,_V�0��*�V�3؋&h1 [rcaZ��˱i՟O&�%O[�3 *
o!�_H9�j�Oɋn��J�.��3q��dZ�,443ȨE�Oa`�MYM�D�T�] g�hކ�.�O�|Rn@0>*ޚFh9Oι|^㛂"��/�OQU+6
˵h7\a)c�~%*v!k�]
RC9�-ة�;mj\9:R�i)�R�|Y@K�ZI(){,G�J��!�:�h�>�㱆��!O>'*C�طX(�_6 ƑI˕ذ!]�H��.
v-h�k�[c<&%�=O?ᛁxiQ���wWx$JĶS�O9����h�Jj�ԛcB�f+㻲q����~��]� $�x`&<>L'��R&gp?�A�0@KP:ؿàIaLa��p�wVׅ[Ȱ$�AZ�h;a-.F©=75N8p
�hXO�
TqRʨח��bLC��P$����tN�/K_L�^DKjĚGB(�۲fY7w�˛!}�h���U�ME�a�oQ�^��(ȕm���-nH��3_k? ''�I;P�)7�
Ԍ���Xͼ%�82]��K�n�$K�\��7G8�_K^>�iC3*wek)$諊%(O@3L+�*�+SW���<'QoBlhoƭg�@m�'T4�e@|)7m2�-k0i�*u uRMO:r
'miwS%U�N�5t7K� T0�04���{H(\����2 (�/H�v#A.q%=o '$u8 ����e}:}nz
dr+d<!݉mftGAD'i_��ܗ�³tH��M]יo_L��¼[ë9��;��BW�
R_.
C!�Z�.}]Z+
6Xg<#Z|y5���1�}v^�Ν]L"�VWdB�BB��k�SE7I��$�(`� oG_PK\ڴ^VKV+�\@3g�P�©�1d=g'Ao^@�I[r{8Stx{2(bU*M�
cXb|pE�e�w{/�&!�<��< '�Oh��O�<���[b�ZdoV0��WB�.l_��tS)�V �uK.Pb��ޫ���#���I�0He�ȞA3*m>��9se{G:PT�@cFm\q��l��DbS �cD @:6e'Z9e7[;Wn�w�:L��%q-f �Z�NlP�<5=u\�@m �rī��mJu[��sY�e}ߞZ{_%�qgAku鼛_�WChH
/=UJw�X^�Sb-/7l{'ƞ��v�K�Bo(�O�ڧ۹V18?YgSn{�����١
�\L1ަF(��m�9wV4Y�
+o:@qX ��QGWq��@^[ή�\}f?+9�Ji$Y_ήglp�4-Ùync�d�H2@04ʴ�))V$R(��&�3*e,�MvMe^"J
�f�D���(. zmka~ycN�6<؆.Z,#VۮK~~[�#oQa<�v]4+�IN$b'ŰẊhELVHm�x~1H7BD��x�5]�\Z)*q#>QT�tQ\'cT��<#n��JrP�tnk$f+hr#sxs����?9)Y��1C(u[:1���~9�PAg�.$�
":ޝ~J4fSpa�v�f0P�:6M_{ʟbi-�u�*ȏ̱]�^i�\g|
jad#6ybuK�ɨ�?Hp�k�'{c@=�Q'�Ht�Q?yd���x�Z>Jj]s3c[qx�ޞR+ǫv1'�cЉ+pC@Yƪ1�(t��F^[264�@l]�{3Dvxa�)�y��'>m�4?)6v�>h~� ���#�=%P$(#e('m4.kޔ۩��AX��߰�NBƖ��Y�{ �KE��Ю?�1?���Xtv�sp�/I_R6`L1WP��m.�Mfˢa���\�3I
kQqb?]C-utIkb"]IQx}��[)x\MSWƄM�tC�,TW䲈uvü�anmR˥z5yGqMLEa;��K�RaaazrJ>HP)E$0�_):;�pGa-
`y����c;rV]Oj�{ا,�5ExxB;'Y ��@/0K{��B��ͰCNln�'ə>hG&nJ�6V* tolLH��-gD��f<�+31/Wۏ�slO1�V�
L/0Ԋ�JXɶ8KIlwIQg')q8�/ȅb)����egqсH�
N#by+Ө4p�oD�Qd+nO�Mh5&mFR8?4¿F\
EIe�²�L}�x�aj�a�B9˪M;oP}wY?e=ra
�'�_|RIKFl+;Y75��s�U�8A�Wa,r4�Q:'`�$� XP0���h$�VkEr@B?{tC�f9ـ�j�El~Kx\ӑv
/m�\F�8]!1K=�oL{_4p
X!q4��Ye%+�ڃ>qsF@Yb!q;{L]����r@|0\']+C{I;w`й@F.b�LpHr
Xȝ)U@SY�A �~��,@N��{�l�Ka 3۞�;}T tIQ6V�}�Zw}؛0ؔ)�Cķ��>BZ��q0�pft$05{~�>�́�,Z
MhăqEFE#Ph|��GFC&�~J79tbi`I t��d
�D=�p]<�FO6")ID3c�cyZ�s:#|mb~00݄ꖪ���^1JK\Ϳ�@e=D�q�^(�Ws�x@Sd�$�0XX.
U��E�ĭt�0��w�j�)C�t*@ؔ�t763p>�9��>,af?�sl��X�-�.bE�.KqSܕi�&m>�>&U5Kvtk?�6t YC>U&F�=�GooŶn���K� ryLb
�4�B0�o𨔚 ����zgj8��B�h-f,�-Ջ5�< L꺄OR�\vEX
z\,Vbꥯ;t'�wV7ſc-4W
)W*.
��?h�9GCd>x�!�0 =f:*�,\}ssnIv:z۽�t{sٻP֚��_'Sܩ;'OOmzk�.�|hKym2/*�r(@_:N83ԭ \W�,x��e�^J��M`�>Z=eIS[:o=UӦ?h�J�cHjj4}63alf1�:�hO!u;V`RZ%eFPkFoP[F-ߦS�=(e#�π�gS(?M/?�g=}F��\뢛^=˵g�пnF?ӽ(w3k?Q ?_��0۵2
_e�^e
sA+*�+ϫ��O�?Bnj�((�#
ʯ2a|3�:C~a3Ư�e�z_z��&?nMF[���?�� ��_�cV91�@�r�2ڿ�\'���3}�S)�Ju/*苬5rXB]g�Ay>JP/n2
؛�:WK?3��^�}VdV&oݛY|]-brQdFWz�^.3S�3pڭ%]��hwp_l�^c/UZG%/$rm��<"9~#��gG6�+.͗'ވl]=�g%)Ix�=0?Muz^\O%b}+r>V=_b�%dE,ElG\�͘�bR'`Fr��d�4)ʽpǜgW)cn�AZ-u#Ca0����(G.�v�ڸ)npK|{2RGP��n3Ok|>q%2[~t^<\Ȭk_FZkp'k͠6KƈHR>Y�z,hvx�ߚ΄�i�-J�cġW�$]\Ű<{^֪q3Ntc}~�>ѧ�;s{ݾ�wCk>k'SY"8MϘ9:S�a���J7`��1z�Ω?9:�_hع[�_ z:}K6@$~؛�,@E��$Ms#Zr��Jk'"(C:&0#EY,JT'�=Ӧ`tT)�&�)�xF�
�l]d{ۦJ�̾hrA�3dCh)x=̺�o[�%~C� P��#�ۃ-S�2�Y3K @5uō0Nkx;r �Q �?4�(�s��[^F%�lm�Bo#Z��9x=1dju1R�
�_^VT;�cT��\;�})qi��s_@4ǝaFrV��@���z4=�z<8Q>�NN)�j�6� pz+ʼngD�r߲)tO�5��4_�bI[ed
�*`V﹡3.�C6-�"_J2�X\vND�Aw|@!ɋ?0Bk%N# M�^���`yCЋRz{n���Fy�VcFp�+����]k살s�#i�^zIcY~Z�3+ծ1���ӮSmWg�#�� Ą��k=*:55~/��P<��ښ>%� Ol8�]M;/'̵kp.,|C#(Jq}dA6HOUL-sm{vl��k*�nܙep[�"��d`�^J�&\
D�@z_4*1�LvbiX!FR6X.Nv9B��m`Z(>/A4�s}z�`礿Lx ��0G ?�ދrP�
�&ӣ>��з ^BN�я]-I�S`*xCr:�vˬDa���ߺ��|��
0vGĶ2C2
o�
+#=\&&k$~El=Ү\W�Ŕ+�
]'[ۧ3�Й?-{bW/���e;M�
/H_��{��QFb�vC�nu���nDl`a�Q11n,Dـ9&@~
a��6�뱊v�zPӆ\�v�Qm^*6aW�ڞ60(�|N�Wusj/�|Ua=�)�ϱ|S'��zaQ g�yY6W=?5^:e�h϶~�oηpR$8R��e�pCikIW�{{AbZ�
XGVWQTR2!�;�دx?����i���;cXJ�4�o�;�;0�Ux|-h\�}�E]ئ.�LgḜ"?Q<:UGd'KW61KulQ�oz|�]�0�XjPtP.9/_�'a1�+)=�:-�h]N&6a]`r8Lte4Q3|�J�Mm)'�3�G׀ T4<*�]x�
O�0VV�P@эh�-j�Q%xv(8)�ҁACԜBʄ>e�1#Gn0\tQ1O
d[܌_م�����&x C��4$���}P�
cYx Ŧ$�VdSM>}�biMثAX9��^Dm�>|��Ù�c1&ѷ7x �'MG?A�
!n>ߧ_&/~W�f1[0̴�|i~u|ՠcD
Ͻ7 ̲T/�E5*=v�K�@Q�~p�E5R4>�+�puȏMPb�#�t;QwP�
O3�5X%�
�~ǴM)5��j�a/X�GU/A>Nq�g_ťf3O��&�b-�����_-Ѓb>�i6t�sJf/p� H0\}knH1}�crF�E;L ј�O;
MR8HT'02,Q5�,8;z}��?ÒyT.NS�VKRM�t.��(�k馲��Q
jz?JFY�#nڋ��Oأy�5XC�V]�E(gqQ=af�l�T7o��&(c0�ϋu�F's4dAåc7Sf�.̃�)}�Ϡ�賘�A泥�43^}fkv�h)�?*�GvGTp�7Yw}ݻm]L/6 ��f2�\UӮǨ,7bw±F�_u|uo%��FͶct_T�n]4�{C�i/�?7�_/� B1a�ч&�S�a_ne�x�mP՛泑 A(^ۖ0b}�TFiB$tbŞP*M~�!�֏M�vH�,�,,=f0�*�/�e�:F�<90I�o�)�20�'�xem|%+( w�xɟ{1)@t~!y I���H�&x,,e? �0�DysM?��5{Qߒ�B?~|�{�
y<<<-b�*3#r/Y}I���(�|6ci`�M�x_�wݺJD
%����Hoڧu]m�wۼcP�k7!Y#�b
d�i*/��ξ0k�MKW8<盥9��)Hl1zj
U*j�NVL�V4ȶ�ʔE=�-Q?g�M*IM[DK&51 B�mktXĉ���v|=,D³r3oGi�N|=5ɉi�3y_�PGQθ)�#�4e)h�$@/�^fS&c�Bh%S��M?�J#J]x58�z�l��S0ր�,b�UnpA' e�d�.;k\Cg@8o_u/?�sZ}�\ m"ՈjuC��+FR~yT|龿��)>]n��wUǓo{�τE�yt�-w{I�bwngg��tP3oE.�X4�sX(AU�K0R���\e�!}
:c꘢�7c,
ÇhOry�R=ֲ��?��lr[)hbm�lA�/5v#:�1��RM黺2�cQan-n
|
Network Security & Hardware 
