Security Experts:

Connect with us

Hi, what are you looking for?



0wning Office Printers

In a talk at last year’s EuroSecWest conference, researcher Andrei Costin presented several vulnerabilities he found within commercial printers.

In a talk at last year’s EuroSecWest conference, researcher Andrei Costin presented several vulnerabilities he found within commercial printers. Most recently attacks against printers were mentioned by Alexey Polyakov (Photo), Head of the Global Emergency Response Team of Kaspersky Labs, in a talk last month at the Security Analysts Summit in Malaga, Spain.

Alexey Polyakov KasperskyMany printers today (and within this definition I’m including multifunction printers that include faxing and scanning) are in fact embedded systems. Must are running some flavor of (RT)OS, such as VxWorks, LynxOS, Nucleus, or Linux. This gives the device a platform so that applications can be loaded to handle the various multifunction features, like color scanning. It also creates a homogenous environment so that if there’s a flaw in LynxOS, there’s an opening for a printer attack. No more security by obscurity.

Additionally, some printers use embedded Java VM such as ChaiServer. Others have embedded Web Servers such as VirataEmWeb. Either way, they have the ability to serve documents remotely, which means someone half away around the world could be snooping through your documents cache. Again, if there’s a flaw in Java VM, there’s now an opportunity for a remote attack.

Even if someone doesn’t have remote access, most modern multifunction printers include hard drives. High capacity hard drives are capable of storing sensitive data, such as legal documents or proprietary information. The hard drives make it possible for large print jobs to be handled quickly, without someone feeding the documents. But what happens when the printer is serviced, the hard drive replaced, and all those sensitive documents walk out the door?

Costin noted that commercial printers have been networked for more than 15 years, yet they are constantly out of computer security’s watchful eye. He cites in his presentation brand names from Xerox (with more than 40 reported vulnerabilities) to Brother (with only 1). And this, he says, represents too few vulnerabilities for a such an mature industry. In other words, why aren’t we seeing more and more vulnerabilities disclosed (and patched) specific to printing?

The dangers are real, says both Costin and Polyakov. Remote attackers could, for example, wage a denial of service attack by re-writing the firmware. More ominously, Costin postulated in his talk about “randsomeware,” where cybercriminals “lock up” the data on a printer in exchange for money, and espionage, where competitors steal proprietary information remotely.

An extreme example would be where malware disables the temperature-sensors within the printer then jams the paper while it’s in the fuser, causing a fire. Having various printers erupt in flames would probably incite terror in any office.

To guard against these scenarios, Costin recommends that System Administrators:

• Develop and follow secure periodic practices and checklists for all your MFPs/printers

• Use and analyze extensive logging using MFPs management platforms

• Properly isolate MFPs on appropriate network segments

• Implement stricter domain-level printing policies

Long term, Costin recommended that printer vendors to clean up their code. Simply patching known vulnerabilities would be a step in the right direction. Better yet, the printer vendors should adopt a Secure Software Development Lifecycle to ensure that the code is trustworthy.

He further invited the security community to help by creating honeypots specifically to collect data about the types of printer malware in the wild. And reminded his audience that multifunction printers are more “than ‘dummy printers’ –are full-blown machines with great power.” But there’s something else here as well: if we’re overlooking the threats posed by printers, what other network devices are we over looking as well?

In my next column I’ll talk about new ways to hack mice and keyboards.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.