Welcome to the SecAware blog

I spy with my beady eye ...

5 Apr 2012

Office printer hacks and security

An infosec blogger describes the fun he had using nmap to analyze typical office printers (that's an excellent Google translation of the Spanish original). 

Most printers have web configuration interfaces on the network and, thanks to having no passwords or (well known) default passwords, hackers can play pranks such as printing junk, resetting the admin pasword or changing the printer's IP address (e.g. deliberately conflicting with another device on the network). 

All pretty juvenile really, little more than geek vandalism, but I guess printing directly to the device might conceivably be of concern if the printer is loaded with check blanks and relies on security on the print server to prevent anyone who feels like writing themselves a big fat check simply doing it.  Given that they would need access to the printer's network, knowledge of the print formatting necessary to put all those zeroes in the right place, some way of slipping past the business process controls normally associated with company checks and, of course, a safe way to cash-out, the probability is quite low, even if the financial impact could be serious.

Something else caught my beady eye though.  Tucked away in the blog is the throwaway line "In the case of Ricoh printers, which have a Document Server, we can see some documents stored (as images) on the printer itself."  Now that could be more serious.  Want to see what the boss - or head of HR - has been printing lately?  Curious to find out what has been sent or received by FAX on the office multifunction device?  Keen to read whatever has been submitted to the Secret printer in the secure corner office?  Mmmm, that could be a more significant risk.

For a more detailed look at printer hacks, see this piece by Adrian "Irongeek" Crenshaw or read this provocative 2002 paper by Ltlw0lf which reminds me that anyone with physical access to a printer and sufficient technical nouse (say, a printer maintenance engineer, or a social engineer pretending to be one - perhaps turning up to fix a printer that says it needs maintenance as a result of him hacking the message on its little display panel) may be able to pull/swap its hard drive and analyze the data at his leisure.  Using a compromised network printer as a launch point for further hacks, and a fairly safe place to store purloined data, is a possibility.  Again, the risks are probably low enough to be insignificant compared to many others for most of us, but there are situations where they may be of concern.

As to what we can do to secure our network printers, the articles are rather light on practical advice.  We should physically secure the printer and implement suitable policies and procedures against social engineering attacks (accompanied by effective security awareness, naturally!).  Changing the admin password seems like A Jolly Good Idea, and of course firewall the network, if not the printer itself.  Monitor the network like a hawk is great advice for any organization that has a surfeit of diligent network security analysts with boundless time on their hands. Other than that, we're largely in the hands of the printer manufacturers and their software engineers.  

By the way, if security patching your printers seems like a good move, consider that the very same software update mechanism might itself represent a vulnerability.  Rock, meet hard place.

Gary (Gary@isect.com)

No comments:

Post a Comment