They run a wide range of operating systems customized and hardened to varying degrees. Linux, Windows XP Embedded, NetBSD, VxWorks, even AIX in one old IBM printer model. These operating systems may have vulnerabilities on their own, and who knows what flaws are in the applications that do the actual printing, scanning, managing the control panel, and so on.
But the issues of most concern are the ones easiest to exploit. For instance, if telnet is left wide open on the printer and you can just log in with the default admin password, then your printer belongs to another.
In the longer term its easy to see such rich printer controls moving into the consumer printer market, and perhaps its already there. Maybe the average HP Deskjet is powerful enough to be worth attacking.
But on the other hand, consumer printers are almost exclusively attached to individual PCs via parallel or USB, not network-attached, so Im not so worried. They could be attacked once the PC to which they are attached is attacked, but if you already own the PC, why are you wasting time compromising a printer?
And businesses are vulnerable enough when it comes to printers and perhaps other less-ubiquitous networked devices. Many years ago a friend of mine got a high-end Tektronix (now Xerox) color printer for her business, for which she had all static IP addresses, and the printer was on one of them.
I pointed out to her that the printer was directly accessible from the outside and that if someone knew it was a printer they might be able to print on it, say all night, and use up all her very expensive solid ink. I dont know what OS was running on that printer, but the remote user could probably also have taken the printer over and used it to attack other computers halfway across the world, as well as elsewhere on the LAN.
Thomas Ptacek quotes @stake as saying, "[P]rinters are file servers. For the files you tend to care most about." Think, for instance, about the printers your accountants use to cut checks.
So the answer is that you need to be aware of security issues and on the lookout for updates from your printer vendor. Yes, thats right, your printers need to be added to your patch management cycle, including testing if you actually go that far.
Even as I write all this I get the feeling that its overstated. As one observer said, youve only got 24 hours in a day; does this really show up on the radar of problems you need to address?
The answer is that it has to begin to. On a real corporate net, if you leave outside access to your printers open (some people actually do this) then you are inviting in outsiders. And if youre in charge of a business security and youre not aware of these issues, youre not doing your job.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.
More from Larry Seltzer