Smart Printers, Scary Printers

Networked printers — yes, printers — can open your corporate network to malicious attacks. They need security patches, too. By Deb Radcliff

1 2 3 Page 2
Page 2 of 3

He described the kinds of mischief you could do with a compromised printer, including password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program.

O’Connor, who says he has proved in his research lab that these hacks are possible, showed a video of himself exploiting these vulnerabilities in his lab during his Black Hat presentation.

“There are actually a quite a few attack vectors in these printers,” says O’Connor, who by day is a security engineer at a Midwest financial services company he wouldn’t name. “I shared a couple in my talk, and I released a couple others privately to Xerox.”

Xerox thanked O’Connor for his research and issued a patch, according to the IDG News Service, though O’Connor says vulnerabilities remain.

The question remains how many IT departments apply security patches to their printers. “One of the reasons this is a particularly nasty problem is that people don’t update their printer software,” security technologist Bruce Schneier wrote in his blog. “And what about printers whose code can’t be patched?” asked Schneier, who is chief technology officer at BT Counterpane Internet Security Inc. in Mountain View, Calif.

The apathy toward printer security isn’t surprising, since printer attacks have been few and far between in recent years. That’s mostly because, right now, it’s easier just to hack PCs and laptops, says Dean Turner, senior manager for security response at Symantec Corp.

But as those systems become more secure through tougher security standards and best practices, attackers will turn their tools to the next low-hanging fruit, Turner says. And unprotected printers are a logical target.

Last year, Symantec logged 12 new security vulnerabilities for five network printer brands: Brother, Canon, Epson, Fujitsu, Hewlett-Packard, Lexmark and Xerox. Twelve may seem like an insignificant number, but keep in mind that it’s greater than the number of printer-specific vulnerabilities found in 2005 (10). And the number of such vulnerabilities found in the past two years account for nearly half of all printer vulnerabilities identified since 1997 (52).

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon