Our Printer Got Hacked?!?!By Larry Seltzer | Posted 2007-01-25 Email Print
Opinion: Yes, hackers can enter unprotected ports and exploit buffer overflows in printers. Things never stop getting more outrageous with computer security, do they?It's one of those "not really a big deal yet but could blow up soon" problems: Printers, especially higher-end multifunction business printers, have become so intelligent and complicated that they have serious security risks. They are, in fact, really desktop computers, even workstations in disguise.
They run a wide range of operating systems customized and hardened to varying degrees. Linux, Windows XP Embedded, NetBSD, VxWorks, even AIX in one old IBM printer model. These operating systems may have vulnerabilities on their own, and who knows what flaws are in the applications that do the actual printing, scanning, managing the control panel, and so on.
But on the other hand, consumer printers are almost exclusively attached to individual PCs via parallel or USB, not network-attached, so I'm not so worried. They could be attacked once the PC to which they are attached is attacked, but if you already own the PC, why are you wasting time compromising a printer?
And businesses are vulnerable enough when it comes to printers and perhaps other less-ubiquitous networked devices. Many years ago a friend of mine got a high-end Tektronix (now Xerox) color printer for her business, for which she had all static IP addresses, and the printer was on one of them.
I pointed out to her that the printer was directly accessible from the outside and that if someone knew it was a printer they might be able to print on it, say all night, and use up all her very expensive solid ink. I don't know what OS was running on that printer, but the remote user could probably also have taken the printer over and used it to attack other computers halfway across the world, as well as elsewhere on the LAN.
Thomas Ptacek quotes @stake as saying, "[P]rinters are file servers. For the files you tend to care most about." Think, for instance, about the printers your accountants use to cut checks.
So the answer is that you need to be aware of security issues and on the lookout for updates from your printer vendor. Yes, that's right, your printers need to be added to your patch management cycle, including testing if you actually go that far.
Even as I write all this I get the feeling that it's overstated. As one observer said, you've only got 24 hours in a day; does this really show up on the radar of problems you need to address?
The answer is that it has to begin to. On a real corporate net, if you leave outside access to your printers open (some people actually do this) then you are inviting in outsiders. And if you're in charge of a business' security and you're not aware of these issues, you're not doing your job.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.