A presentation at Black Hat 2006 by Brendan O'Connor covered Vulnerabilities in Not-So Embedded Systems. Specifically, it described a hack on a Xerox mulitfunction device (copy-scan-print). The machine has an embedded AMD CPU running Linux and Apache with the Xerox applications layered on top. Accessing the device remotely thanks to its web and telnet interfaces, the hacker exploited vulnerabilities in parameter handling by the applications to compromise the root account. To Brendan, this was a bit of a lark. He clearly enjoyed explaining how to hack the machine and, for example, photocopy and scan a stray paper clip and set it up as a default printing template. For Xerox, however, the presentation and exploit represents a security incident that forced them to roll out urgent security fixes to their understandably irate customers. It seems unlikely to have enhanced their reputation in the market.
More security incident management and hacking links