The Surprising Security Threat: Your Printers

Deb Radcliff

 

January 15, 2007 (Computerworld) The Blaster worm hit McCormick and Co. hard and fast. It entered the famous spice company through a service provider connection and ripped across plants and offices in a matter of hours. What was most vexing, however, was that the virus kept coming back on disinfected network segments.

Upon further investigation, it turned out that Blaster, as well as some instances of the Sasser worm, were trying to repropagate from infected network printers.

“Printers were just one of several types of systems contributing to the nightmare at the time,” says Michael Rossman, who’d just taken over as global director of IT services and information security at McCormick at the time of the worm outbreak in 2003. “Blaster went to all our PCs, our radio frequency units, our handhelds. And, we learned belatedly, it also spread to our printers.”

Blaster and Sasser gave IT execs some religion about the vulnerabilities network printers can introduce to corporate networks, Rossman says. Since then, however, there has been little evidence of printer-based attacks spreading across large networks. Corporate IT shops haven’t been concerned about printer security. Instead of patching and hardening printers, they have been complacent. Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.

If these systems aren’t hardened, users may soon find their printers rendered inaccessible by attackers, their valuable documents heisted or their printers turned into remote-controlled bots — launching pads for further attacks.

The problem, of course, is that printers aren’t on the agendas of many security managers. “It’s been my experience that these devices have been completely overlooked from a risk management perspective,” says security researcher Brendan O’Connor. “They’re installed. They work. And nobody pays them any attention until it’s time to install a new paper tray or print cartridge.”

Not So Dumb

In essence, networked printers need to be treated like servers or workstations for security purposes — not like dumb peripherals.

At the Black Hat conference in Las Vegas in August, O’Connor delivered a blow-by-blow presentation on how to bypass authentication, inject commands at the root level and create shell code to take over printers in Xerox Corp.’s WorkCentre line of printers, which run on Linux operating systems. He described the kinds of mischief you could do with a compromised printer, including password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program.

O’Connor, who says he has proved in his research lab that these hacks are possible, showed a video of himself exploiting these vulnerabilities in his lab during his Black Hat presentation.

“There are actually a quite a few attack vectors in these printers,” says O’Connor, who by day is a security engineer at a Midwest financial services company he wouldn’t name. “I shared a couple in my talk, and I released a couple others privately to Xerox.”

Xerox thanked O’Connor for his research and issued a patch, according to the IDG News Service, though O’Connor says vulnerabilities remain.

The question remains how many IT departments apply security patches to their printers. “One of the reasons this is a particularly nasty problem is that people don’t update their printer software,” security technologist Bruce Schneier wrote in his blog. “And what about printers whose code can’t be patched?” asked Schneier, who is chief technology officer at BT Counterpane Internet Security Inc. in Mountain View, Calif.

The apathy toward printer security isn’t surprising, since printer attacks have been few and far between in recent years. That’s mostly because, right now, it’s easier just to hack PCs and laptops, says Dean Turner, senior manager for security response at Symantec Corp.

But as those systems become more secure through tougher security standards and best practices, attackers will turn their tools to the next low-hanging fruit, Turner says. And unprotected printers are a logical target.

Last year, Symantec logged 12 new security vulnerabilities for five network printer brands: Brother, Canon, Epson, Fujitsu, Hewlett-Packard, Lexmark and Xerox. Twelve may seem like an insignificant number, but keep in mind that it’s greater than the number of printer-specific vulnerabilities found in 2005 (10). And the number of such vulnerabilities found in the past two years account for nearly half of all printer vulnerabilities identified since 1997 (52). This means we’re in the preattack stage with printers, says Chris Wysopal, former director of research and development at @Stake Inc., a security vulnerability assessment firm that was acquired by Symantec. Printers, he says, are on the radar screen of the hacking community, so it’s only a matter of time before PCs and workstations get hardened and attackers start delivering attacks to printers. Wysopal recalls that while working in the vulnerability research lab at @Stake, he hacked into a printer through the infrared port and changed the administrator password.

There’s a common impression that printers are vulnerable to attacks only from inside a company’s LAN or via remote log-in to a company’s virtual private network, researchers say. But that’s not true, says Alan Paller, research director at the SANS Institute in Bethesda, Md.

“Five years ago, four HP Jetdirect printer controllers were used in a denial-of-service attack that took down an ISP in New Mexico,” says Paller. “And more recently, shared printers have become back doors that allow attackers to bridge from low-security areas to high-security areas.”

All it takes is any remote code-execution vulnerability, such as a buffer overflow or cross-site scripting weakness, to spread a bot to the printer or use the printer as a launching pad for other attacks, says Lamar Bailey, senior operations manager of X-Force, a threat analysis service of Atlanta-based IBM Internet Security Systems. ISS keeps a dozen printers in its security lab so it can test new vulnerabilities.

And, despite opinions to the contrary, network printers are also already at risk of direct Internet attacks, say researchers. The first, and most obvious, link is when organizations put network printers outside the corporate firewall to make remote printing easier for employees. This is something O’Connor, Wysopal and Turner all say they have seen too frequently in their vulnerability assessments for clients.

Furthermore, online print-from-anywhere services are also direct points of attack from the Web. Some of these interfaces include embedded Web servers and/or Web pages with IP addresses. This is why, as part of its risk management policy, McCormick turns off remote print services, says Rossman.

Patch Management

Of all protective measures to be taken on these embedded devices, system hardening and patch management are the most critical, according to security experts. McCormick relies on its printer vendors to distribute firmware updates and software patches, says Rossman, while other administrative chores are handled in-house. But Paller says vendors, in their attempt to offer more services and uses to their customers, actually make it hard to turn off default services and change passwords.

Vendors have made some advances in filtering, document protection and access controls, but they’ve made little headway in comprehensive patch management and system-hardening processes. O’Connor says vendors aren’t always forthcoming with new vulnerability and patch information, making it difficult for IT to manage what is still mostly a manual process.

Until vendors work these things out and users start treating printers like the points of risk they are, network printers will continue to be sitting ducks, waiting for attackers to pounce.

“Network printers are large print devices with embedded Windows systems that are interacting with the network just like any other Windows-based system,” says Rossman. “They need to be secured.”

Printer Security Risks

Risk: Network printers have more vulnerable services running on them than networked PCs do. POSSIBLE ATTACKS •  Remote code execution •  Sniffing (for passwords and network information) •  Capture of intellectual property from documents in queue or in local memory •  Root control of printer services SOLUTIONS •  Disable services you don't need. •  Use vendor-provided document protection features. •  Change default passwords and encrypt them.   Risk: Network printer applications have a growing number of vulnerabilities. POSSIBLE ATTACKS •  Buffer overflows •  Cross-site scripting and other common attack methods that disable an application and gain root control SOLUTIONS •  Perform better code review. •  Adopt more secure application development processes.   Risk: Web interfaces, Web servers, Web pages and e-mail are opening printers directly to the World Wide Web. POSSIBLE ATTACKS •  Hijacking or impersonating a remote administrator or user session •  Malicious code injection •  Remote control of printer SOLUTIONS •  Turn off Web connections unless absolutely needed. •  Use strong authentication for remote administration. •  Change default passwords.