The Secret Security Threat: Printers

Remember how great it is to have a multifunction printer; one that will scan, print, email and fax?

Cybercriminals think they are pretty great as well because they can become a gateway to stealing data or wrecking a network according to Carl Mazzanti, CEO, eMazzanti Technologies, an IT expert and computer consultant in the Hoboken, NJ and NYC areas.

“The bad guys are always looking for easy ways to break into a network at work or at home,” said Mazzanti.

In a presentation at the last DefCon 19 conference, security researcher Deral Heiland demonstrated various ways to break into an Internet-ready, multifunction printer. These include printers that can scan to a file, scan to email, and fax documents, and the vulnerabilities he found are similar across all printer OEMs.

According to Mazzanti, Heiland recommends that If a user has not taken the time to access the administration control panel webpage for his printer and change its default passwords, he might want to do that sooner than later. However, that will only partially slow down a very persistent criminal.

For example, Heiland demonstrated that if a user did change the default Toshiba printer password from 123456 to something unique, a criminal can simply add an extra backslash to the URL to gain administrator access to the device. Heiland also said that if user copies the URL from the HP Officejet printer login page and then add “page=” to the end and paste it back in, this will bypass any new passwords that have been added to those printers. This could let a hacker access sensitive documents that have been recently scanned or printed.

eMazzanti notes that on some of the printer administration webpages, basic coding mistakes can also expose sensitive information such as passwords.” With the HP Officejet multifunction page, Heiland was able to right-click the page in Firefox in order to see the plaintext of the password normally hidden by black dots. The same, Heiland said, was true on the Toshiba models he’d tested,” continued Mazzanti.

For office printers, internal address books are often used to route faxes and scanned documents to specific workstations. Heiland discovered that Canon requires an attacker to first have a cookie–which, if they are using a Google search to find the administration webpage over the Internet, they would not necessarily have. But if a user clicks to the Home page tab, Heiland said a computer will receive a cookie that allows a user to retrieve the plaintext address book from the printer.

Heiland added that Canon did fix this vulnerability on most of its ImageRunner line, but he found two models–IR3580 and IR4080–that still allowed for this particular hack to work.

In another demonstration, Heiland, was able to redirect the test pages that most printers spit out by intercepting the Lightweight Directory Access Protocol (LDAP) in a sort of man-in-the-middle attack. Here he attacked Sharp and Ricoh printers, redirecting their test pages to him, and setting him up as a valid user according to eMazzanti.

 

Hacked Printer Stories

Mazzanti reviews a few recent printer security stories to demonstrate the ubiquitous nature of the printer attacks across all different manufactures.

According to a July 27, 2012 story in Computerworld: “The Blaster worm hit McCormick and Co. hard and fast. It entered the famous spice company through a service provider connection and ripped across plants and offices in a matter of hours. What was most vexing, however, was that the virus kept coming back on disinfected network segments.

Upon further investigation, it turned out that Blaster, as well as some instances of the Sasser worm, were trying to re-propagate from infected network printers.”

“What is interesting about stories of corporate printer attacks is that their IT departments may still be complacent,” said Mazzanti. “ Instead of patching and hardening printers against malware attacks, printers are loaded with more complex applications than ever before, running a multitude of vulnerability service software imaginable; all with little or no risk management or oversight.”

Bob Sullivan, a columnist for NBC News wrote a November 29, 2011 article entitled Millions of Printers Open to Devastating Hank Attack Researchers Say.

Sullivan poses the question: “Could a hacker from half-way around the planet hijack your printer as a copy machine for criminals, making it commit identity theft or even take control of entire networks that would otherwise be secure?” According to researchers at Columbia University that Sullivan references, this kind of security breach is not only possible but probable.

The article goes on to say: “Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage.”

Another news article on Internet-ink.co.uk entitled Security Threats for Printers, “The internet’s increasing importance to society means that there are now more threats to computer users than ever before. Despite a rise in antivirus and firewall software, online threats still linger for computer users and it is important that customers are as well-prepared as possible

Due to sophisticated viruses currently circulating online, malware can now easily spread to internet-enabled devices, potentially causing errors in printers and wasting the capacity of ink cartridges.”

 

Hire a Professional IT Expert

“Businesses with security threats on any device should seek professional IT help to protect networks and data,” said Mazzanti. “Management that insists it can stay up with all the security threats by themselves are going to regret not hiring an expert when a system goes down or data is corrupted or stolen.”