Smart Printers, Scary Printers

Networked printers — yes, printers — can open your corporate network to malicious attacks. They need security patches, too. By Deb Radcliff

1 2 3 Page 3
Page 3 of 3

This means we’re in the preattack stage with printers, says Chris Wysopal, former director of research and development at @Stake Inc., a security vulnerability assessment firm that was acquired by Symantec. Printers, he says, are on the radar screen of the hacking community, so it’s only a matter of time before PCs and workstations get hardened and attackers start delivering attacks to printers. Wysopal recalls that while working in the vulnerability research lab at @Stake, he hacked into a printer through the infrared port and changed the administrator password.

There’s a common impression that printers are vulnerable to attacks only from inside a company’s LAN or via remote log-in to a company’s virtual private network, researchers say. But that’s not true, says Alan Paller, research director at the SANS Institute in Bethesda, Md.

“Five years ago, four HP Jetdirect printer controllers were used in a denial-of-service attack that took down an ISP in New Mexico,” says Paller. “And more recently, shared printers have become back doors that allow attackers to bridge from low-security areas to high-security areas.”

All it takes is any remote code-execution vulnerability, such as a buffer overflow or cross-site scripting weakness, to spread a bot to the printer or use the printer as a launching pad for other attacks, says Lamar Bailey, senior operations manager of X-Force, a threat analysis service of Atlanta-based IBM Internet Security Systems. ISS keeps a dozen printers in its security lab so it can test new vulnerabilities.

And, despite opinions to the contrary, network printers are also already at risk of direct Internet attacks, say researchers. The first, and most obvious, link is when organizations put network printers outside the corporate firewall to make remote printing easier for employees. This is something O’Connor, Wysopal and Turner all say they have seen too frequently in their vulnerability assessments for clients.

Furthermore, online print-from-anywhere services are also direct points of attack from the Web. Some of these interfaces include embedded Web servers and/or Web pages with IP addresses. This is why, as part of its risk management policy, McCormick turns off remote print services, says Rossman.

Patch Management

Of all protective measures to be taken on these embedded devices, system hardening and patch management are the most critical, according to security experts. McCormick relies on its printer vendors to distribute firmware updates and software patches, says Rossman, while other administrative chores are handled in-house. But Paller says vendors, in their attempt to offer more services and uses to their customers, actually make it hard to turn off default services and change passwords.

Vendors have made some advances in filtering, document protection and access controls, but they’ve made little headway in comprehensive patch management and system-hardening processes. O’Connor says vendors aren’t always forthcoming with new vulnerability and patch information, making it difficult for IT to manage what is still mostly a manual process.

Until vendors work these things out and users start treating printers like the points of risk they are, network printers will continue to be sitting ducks, waiting for attackers to pounce.

“Network printers are large print devices with embedded Windows systems that are interacting with the network just like any other Windows-based system,” says Rossman. “They need to be secured.”

Printer Security Risks

Risk: Network printers have more vulnerable services running on them than networked PCs do.

POSSIBLE ATTACKS

•  Remote code execution •  Sniffing (for passwords and network information) •  Capture of intellectual property from documents in queue or in local memory •  Root control of printer services

SOLUTIONS

•  Disable services you don't need. •  Use vendor-provided document protection features. •  Change default passwords and encrypt them.
Risk: Network printer applications have a growing number of vulnerabilities.

POSSIBLE ATTACKS

•  Buffer overflows •  Cross-site scripting and other common attack methods that disable an application and gain root control

SOLUTIONS

•  Perform better code review. •  Adopt more secure application development processes.
Risk: Web interfaces, Web servers, Web pages and e-mail are opening printers directly to the World Wide Web.

POSSIBLE ATTACKS

•  Hijacking or impersonating a remote administrator or user session •  Malicious code injection •  Remote control of printer

SOLUTIONS

•  Turn off Web connections unless absolutely needed. •  Use strong authentication for remote administration. •  Change default passwords.

Radcliff is a freelance security writer in Northern California. She can be reached at deb@radcliff.com.

Copyright © 2007 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon