Smart printers not on the security agenda
- 28 February, 2007 11:23
Corporate IT shops haven't been concerned about printer security. Instead of patching and hardening printers, they have been complacent. Security experts say printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.
If these systems aren't hardened, users may soon find their printers rendered inaccessible by attackers, their valuable documents heisted or their printers turned into remote-controlled bots - launching pads for further attacks.
The problem, of course, is that printers aren't on the agendas of many security managers. "It's been my experience that these devices have been completely overlooked from a risk management perspective," security researcher, Brendan O'Connor, said. "They're installed. They work. And nobody pays them any attention until it's time to install a new paper tray or print cartridge."
Not so dumb
In essence, networked printers need to be treated like servers or workstations for security purposes - not like dumb peripherals.
At the Black Hat conference in Las Vegas in August, O'Connor delivered a blow-by-blow presentation on how to bypass authentication, inject commands at the root level and create shell code to take over printers using Xerox WorkCentre printers, which run on Linux operating systems.
He described the kinds of mischief you could do with a compromised printer, including password catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program.
The question remains how many IT departments apply security patches to their printers. "One of the reasons this is a particularly nasty problem is that people don't update their printer software," security technologist, Bruce Schneier, wrote in his blog. "And what about printers whose code can't be patched?"
The apathy toward printer security isn't surprising, since printer attacks have been few and far between in recent years. That's mostly because, right now, it's easier just to hack PCs and laptops, according to senior manager for security response at Symantec, Dean Turner.
But as those systems become more secure through tougher security standards and best practices, he said attackers will turn their tools to the next low-hanging fruit. And unprotected printers are a logical target.
Last year, Symantec logged 12 new security vulnerabilities for fi ve network printer brands: Brother, Canon, Epson, Fujitsu, HP, Lexmark and Xerox. Twelve may seem like an insignifi cant number, but keep in mind that it's greater than the number of printer-specifi c vulnerabilities found in 2005 (10). And the number of such vulnerabilities found in the past two years account for nearly half of all printer vulnerabilities identified since 1997 (52).
There's a common impression that printers are vulnerable to attacks only from inside a company's LAN or via remote log-in to a company's virtual private network. But research director at the SANS Institute, Allan Paller, said that's not true.
And, despite opinions to the contrary, network printers are also already at risk of direct Internet attacks. The first, and most obvious, link is when organisations put network printers outside the corporate firewall to make remote printing easier for employees.
Furthermore, online print-from-anywhere services are also direct points of attack from the Web. Some of these interfaces include embedded Web servers and/or Web pages with IP addresses.
Of all protective measures to be taken on these embedded devices, system hardening and patch management are the most critical, according to security experts. But Paller said vendors, in their attempt to offer more services and uses to their customers, actually make it hard to turn off default services and change passwords.
Vendors have made some advances in filtering, document protection and access controls, but they've made little headway in comprehensive patch management and system-hardening processes. O'Connor said vendors weren't always forthcoming with new vulnerability and patch information, making it difficult for IT to manage what is still mostly a manual process.
Until vendors work these things out and users start treating printers like the points of risk they are, network printers will continue to be sitting ducks, waiting for attackers to pounce.