Multifunction Printers: The Forgotten Security Risk

By Ryan Naraine  |  Posted 2008-02-13

Multifunction Printers: The Forgotten Security Risk

That networked multifunction printer sitting innocently in the corner of your office just might be the most significant entry point for hackers to hijack sensitive data from your business.  

Even worse, security researchers warn, they are a forgotten risk in every enterprise, featuring hardware that combines several functions in a single unit-fax, copier, printer and scanner.

"A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform," said Brendan O'Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006.

"When I was doing my research, I had dozens and dozens of MFDs under my control, and no one in IT knew what I was doing. The idea of an attacker having equipment completely under their control on a company's internal network is a frightening proposition," O'Connor said in an interview with eWEEK.

eWEEK rates the most influential people in security. See who made the list.

The networked printers, scanners and copiers, he said, are no longer dumb machines sitting in a corner performing mundane tasks. In his mind, IT administrators should start paying serious attention to vulnerabilities and weaknesses in printers-and start preparing patch- and risk-management strategies.

O'Connor, who works in information security for a major financial services company, said printers should be treated the same as every other asset because, for businesses that depend on a paper trail, something as simple as a denial-of-service attack can be debilitating.

During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer-complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL.

He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine.

"All the information that's being printed, scanned and faxed is susceptible to theft," O'Connor said. "Once under an attacker's control, it is simple to covertly save copies of other people's data on the machine's hard drive. With built-in network, fax/modem and network capabilities, there are a variety of ways to smuggle the stolen information out of an organization once it's been captured."

A Xerox spokesperson said that O'Connor had alerted the company of the vulnerability in January 2006, and that Xerox shipped a patch in Feburary 2006, several months before the Black Hat event.

Password and Credentials Theft

Another attack scenario is password and credentials theft in an organization.



"If users need to enter a password for certain operations, like scanning to e-mail or network folders and shares, an attacker can capture usernames and passwords to gain further access to network resources," he said.

O'Connor warned that some MFDs have public IP addresses that can be found with a clever Google search queries.  



"A slightly more sophisticated attack would be to use CSRF [Cross Site Request Forgery].  In a CSRF attack, if a user views a specially crafted Web page, an attacker can trick the user's Web browser into launching an attack against an internal printer. If done properly, a CSRF attack can be invisible to the victim and give an external attacker control over an internal device," he said.

There's also the scenario of someone posing as a copier technician to get physical access to a device. Done properly, an attacker can completely compromise a vulnerable device in minutes, he said, citing the insider threat as another significant risk to printer security.

The anti-malware industry tries to save itself. Read more here.

Thomas Ptacek, principal and founder at New York-based penetration testing firm Matasano Security, said the risk is more than just theoretical.
"Should my mom be worried that a hacker is living in her printer? No. But, if you're a Fortune 500 company, vulnerable printers on your network is a scary thing," Ptacek said in an interview with eWEEK.

"There are several of these printers on every floor of every business, basically working as file servers for important documents," Ptacek said. "Printers deal with much more sensitive information than your typical file or storage server, but they get no protection whatsoever. They're altogether ignored as a risk on the network. Do you know of anyone looking for patches for a printer? People underestimate how dangerous these things are."

In the financial and health sectors, for example, he said a skilled hacker with unfiltered access to a print server can do serious damage.

"He can hide himself in there with a rootkit, capture all the documents passing through the print server. He can take over the printer and basically have full control of every action. It's the perfect catbird seat," Ptacek said.

Ptacek, who provides security consulting services to several major software vendors, said businesses should be worried about printer-specific malware.



"Think about it: Printers are the perfect target for things like network worms," he said. "It's usually a [monoculture] because you buy them by the truckloads and install them with the same default settings, with exactly the same footprint and no run-time security. You run a command on one printer; you can run that command on all 1,000 printers in the enterprise."

Even though his Black Hat presentation in 2006 raised awareness around the issue, O'Connor said the problems remain because printer manufacturers have not invested in security during the code creation process.

"Some vendors have taken some good steps as far as trying to release more secure code and giving the end user more visibility and manageability with regard to the operation of the devices," O'Connor said. "Other vendors-which I would rather not name-have hyped new security features and software on their MFDs [multifunction devices.] These things make for great sales points and press releases but do not address the real problem in my opinion. From what I can tell, most vendors haven't done much of anything."

He recommended that IT administrators make it a priority to talk to vendors about what's being done to protect multifunction devices.



"Ask things like, Do they do a security review of their code?" he said. "Do they issue patches and fixes for security bugs? Do they have tools for the IT staff to better manage the devices and gain some visibility into what's going on under the hood?

"Unfortunately, if your vendor is uncooperative, there's not a lot you can do. You will most likely break your support contract if you start poking around yourself," he said.



Rocket Fuel