http://www.eweek.com/c/a/Printers/Multifunction-Printers-The-Forgotten-Security-Risk/
By Ryan Naraine
eWEEK.com
2008-02-13
Networked MFPs can introduce significant risk to your business. Are you
paying attention?
That networked multifunction printer sitting innocently in the corner of
your office just might be the most significant entry point for hackers
to hijack sensitive data from your business.
Even worse, security researchers warn, they are a forgotten risk in
every enterprise, featuring hardware that combines several functions in
a single unitfax, copier, printer and scanner.
"A compromised [multifunction printer] is dangerous for a number of
reasons. First and foremost, no one in the enterprise pays attention to
them. That lack of visibility makes for a very attractive attack
platform," said Brendan O'Connor, a researcher who was among the first
to call attention to the printer security risk during a Black Hat talk
in 2006.
"When I was doing my research, I had dozens and dozens of MFDs under my
control, and no one in IT knew what I was doing. The idea of an attacker
having equipment completely under their control on a company's internal
network is a frightening proposition," O'Connor said in an interview
with eWEEK.
The networked printers, scanners and copiers, he said, are no longer
dumb machines sitting in a corner performing mundane tasks. In his mind,
IT administrators should start paying serious attention to
vulnerabilities and weaknesses in printersand start preparing patch- and
risk-management strategies.
O'Connor, who works in information security for a major financial
services company, said printers should be treated the same as every
other asset because, for businesses that depend on a paper trail,
something as simple as a denial-of-service attack can be debilitating.
During his Black Hat presentation in 2006, O'Connor picked apart the
security model of a Xerox WorkCentre MFP, showing how the device
operated more like a low-end server or workstation than a copier or
printercomplete with an AMD processor, 256MB of SDRAM and an 80GB hard
drive and running Linux, Apache and PostGreSQL.
He showed how the authentication on the device's Web interface can be
easily bypassed to launch commands to completely hijack a new Xerox
WorkCentre machine.
"All the information that's being printed, scanned and faxed is
susceptible to theft," O'Connor said. "Once under an attacker's control,
it is simple to covertly save copies of other people's data on the
machine's hard drive. With built-in network, fax/modem and network
capabilities, there are a variety of ways to smuggle the stolen
information out of an organization once it's been captured.
Another attack scenario is password and credentials theft in an
organization.
"If users need to enter a password for certain operations, like scanning
to e-mail or network folders and shares, an attacker can capture
usernames and passwords to gain further access to network resources, he
said.
O'Connor warned that some MFDs have public IP addresses that can be
found with a clever Google search queries.
"A slightly more sophisticated attack would be to use CSRF [Cross Site
Request Forgery]. In a CSRF attack, if a user views a specially crafted
Web page, an attacker can trick the user's Web browser into launching an
attack against an internal printer. If done properly, a CSRF attack can
be invisible to the victim and give an external attacker control over an
internal device," he said.
There's also the scenario of someone posing as a copier technician to
get physical access to a device. Done properly, an attacker can
completely compromise a vulnerable device in minutes, he said, citing
the insider threat as another significant risk to printer security.
Thomas Ptacek, principal and founder at New York-based penetration
testing firm Matasano Security, said the risk is more than just
theoretical. "Should my mom be worried that a hacker is living in her
printer? No. But, if you're a Fortune 500 company, vulnerable printers
on your network is a scary thing," Ptacek said in an interview with
eWEEK.
"There are several of these printers on every floor of every business,
basically working as file servers for important documents," Ptacek said.
"Printers deal with much more sensitive information than your typical
file or storage server, but they get no protection whatsoever. They're
altogether ignored as a risk on the network. Do you know of anyone
looking for patches for a printer? People underestimate how dangerous
these things are."
In the financial and health sectors, for example, he said a skilled
hacker with unfiltered access to a print server can do serious damage.
"He can hide himself in there with a rootkit, capture all the documents
passing through the print server. He can take over the printer and
basically have full control of every action. It's the perfect catbird
seat," Ptacek said.
Ptacek, who provides security consulting services to several major
software vendors, said businesses should be worried about
printer-specific malware.
"Think about it: Printers are the perfect target for things like network
worms, he said. It's usually a [monoculture] because you buy them by the
truckloads and install them with the same default settings, with exactly
the same footprint and no run-time security. You run a command on one
printer; you can run that command on all 1,000 printers in the
enterprise."
Even though his Black Hat presentation in 2006 raised awareness around
the issue, O'Connor said the problems remain because printer
manufacturers have not invested in security during the code creation
process.
"Some vendors have taken some good steps as far as trying to release
more secure code and giving the end user more visibility and
manageability with regard to the operation of the devices," O'Connor
said. "Other vendorswhich I would rather not namehave hyped new security
features and software on their MFDs [multifunction devices.] These
things make for great sales points and press releases but do not address
the real problem in my opinion. From what I can tell, most vendors
haven't done much of anything."
He recommended that IT administrators make it a priority to talk to
vendors about what's being done to protect multifunction devices.
"Ask things like, Do they do a security review of their code? he said.
Do they issue patches and fixes for security bugs? Do they have tools
for the IT staff to better manage the devices and gain some visibility
into what's going on under the hood?
"Unfortunately, if your vendor is uncooperative, there's not a lot you
can do. You will most likely break your support contract if you start
poking around yourself," he said.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments