Our Printer Got Hacked?!?!

By Larry Seltzer  |  Posted 2007-01-25 Print this article Print

Opinion: Yes, hackers can enter unprotected ports and exploit buffer overflows in printers. Things never stop getting more outrageous with computer security, do they?

Its one of those "not really a big deal yet but could blow up soon" problems: Printers, especially higher-end multifunction business printers, have become so intelligent and complicated that they have serious security risks. They are, in fact, really desktop computers, even workstations in disguise. They run a wide range of operating systems customized and hardened to varying degrees. Linux, Windows XP Embedded, NetBSD, VxWorks, even AIX in one old IBM printer model. These operating systems may have vulnerabilities on their own, and who knows what flaws are in the applications that do the actual printing, scanning, managing the control panel, and so on.

Anti-virus companies such as Kaspersky Labs are working around the clock to keep zero-day attacks at bay. Click here to read more.

But the issues of most concern are the ones easiest to exploit. For instance, if telnet is left wide open on the printer and you can just log in with the default admin password, then your printer belongs to another.

In the longer term its easy to see such rich printer controls moving into the consumer printer market, and perhaps its already there. Maybe the average HP Deskjet is powerful enough to be worth attacking.

But on the other hand, consumer printers are almost exclusively attached to individual PCs via parallel or USB, not network-attached, so Im not so worried. They could be attacked once the PC to which they are attached is attacked, but if you already own the PC, why are you wasting time compromising a printer?

And businesses are vulnerable enough when it comes to printers and perhaps other less-ubiquitous networked devices. Many years ago a friend of mine got a high-end Tektronix (now Xerox) color printer for her business, for which she had all static IP addresses, and the printer was on one of them.

I pointed out to her that the printer was directly accessible from the outside and that if someone knew it was a printer they might be able to print on it, say all night, and use up all her very expensive solid ink. I dont know what OS was running on that printer, but the remote user could probably also have taken the printer over and used it to attack other computers halfway across the world, as well as elsewhere on the LAN.

Thomas Ptacek quotes @stake as saying, "[P]rinters are file servers. For the files you tend to care most about." Think, for instance, about the printers your accountants use to cut checks.

So the answer is that you need to be aware of security issues and on the lookout for updates from your printer vendor. Yes, thats right, your printers need to be added to your patch management cycle, including testing if you actually go that far.

Even as I write all this I get the feeling that its overstated. As one observer said, youve only got 24 hours in a day; does this really show up on the radar of problems you need to address?

The answer is that it has to begin to. On a real corporate net, if you leave outside access to your printers open (some people actually do this) then you are inviting in outsiders. And if youre in charge of a business security and youre not aware of these issues, youre not doing your job.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel