0wning Office Printers

In a talk at last year’s EuroSecWest conference, researcher Andrei Costin presented several vulnerabilities he found within commercial printers. Most recently attacks against printers were mentioned by Alexey Polyakov (Photo), Head of the Global Emergency Response Team of Kaspersky Labs, in a talk last month at the Security Analysts Summit in Malaga, Spain.

Many printers today (and within this definition I’m including multifunction printers that include faxing and scanning) are in fact embedded systems. Must are running some flavor of (RT)OS, such as VxWorks, LynxOS, Nucleus, or Linux. This gives the device a platform so that applications can be loaded to handle the various multifunction features, like color scanning. It also creates a homogenous environment so that if there’s a flaw in LynxOS, there’s an opening for a printer attack. No more security by obscurity.

Additionally, some printers use embedded Java VM such as ChaiServer. Others have embedded Web Servers such as VirataEmWeb. Either way, they have the ability to serve documents remotely, which means someone half away around the world could be snooping through your documents cache. Again, if there’s a flaw in Java VM, there’s now an opportunity for a remote attack.

Even if someone doesn’t have remote access, most modern multifunction printers include hard drives. High capacity hard drives are capable of storing sensitive data, such as legal documents or proprietary information. The hard drives make it possible for large print jobs to be handled quickly, without someone feeding the documents. But what happens when the printer is serviced, the hard drive replaced, and all those sensitive documents walk out the door?

Costin noted that commercial printers have been networked for more than 15 years, yet they are constantly out of computer security’s watchful eye. He cites in his presentation brand names from Xerox (with more than 40 reported vulnerabilities) to Brother (with only 1). And this, he says, represents too few vulnerabilities for a such an mature industry. In other words, why aren’t we seeing more and more vulnerabilities disclosed (and patched) specific to printing?

The dangers are real, says both Costin and Polyakov. Remote attackers could, for example, wage a denial of service attack by re-writing the firmware. More ominously, Costin postulated in his talk about “randsomeware,” where cybercriminals “lock up” the data on a printer in exchange for money, and espionage, where competitors steal proprietary information remotely.

An extreme example would be where malware disables the temperature-sensors within the printer then jams the paper while it’s in the fuser, causing a fire. Having various printers erupt in flames would probably incite terror in any office.

To guard against these scenarios, Costin recommends that System Administrators:

• Develop and follow secure periodic practices and checklists for all your MFPs/printers

• Use and analyze extensive logging using MFPs management platforms

• Properly isolate MFPs on appropriate network segments

• Implement stricter domain-level printing policies

Long term, Costin recommended that printer vendors to clean up their code. Simply patching known vulnerabilities would be a step in the right direction. Better yet, the printer vendors should adopt a Secure Software Development Lifecycle to ensure that the code is trustworthy.

He further invited the security community to help by creating honeypots specifically to collect data about the types of printer malware in the wild. And reminded his audience that multifunction printers are more “than ‘dummy printers’ –are full-blown machines with great power.” But there’s something else here as well: if we’re overlooking the threats posed by printers, what other network devices are we over looking as well?

In my next column I’ll talk about new ways to hack mice and keyboards.