February 22, 2008
If you hear about network printers and you think about “dumb” machine sitting in the corner your are mistaken. They are more like a low-end server running a standard operating system like Linux or BSD on standard hardware like the Xerox WorkCentre MFP with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. Such a printer can be attacked like any other system in your network, maybe even easier as no anti virus software is installed.
What is the possible impact of a compromised printer? A compromised printer can do everything a normal computer could perform â€“ like attacking other systems, sniffing passwords, …. – but there is one big difference: A printer gets normally all important documents send by many users for printing. It could easily send them over the internet to an attacker. The printer has an internal hard disk where it could store them to send them slowly into the internet. You say now you restrict your internet access and MFP have no access to it? Good, but than an attacker could use the internal FAX, do you also monitor that? Does this not sound scary? At least it does for me, so be aware that MFP systems need an own security strategy.
Let’s look at the current status. Most likely your printers have the same software version installed, which was installed when you got them, normally nobody installs security updates on printers. But even if you would like to do so you’ve the problem is that in contrast to your normal appliances the printer vendor does not really care about security and does not provide security updates in time.
So beside installing security updates and monitoring the download sites for your printer. (I don’t belief that most MFP vendors have a security announcement mailing list ;-).) I recommend to move your printers in a separated VLAN, which is only reachable via a firewall. This firewall is configured in a way that only the printing servers can talk to the printers, and the printers are able deliver the received/scanned documents. And only the employees responsible for maintaining the printers should be able to connect on the management ports (be it http(s) or telnet). The access of the printers to the internet should be limited to required “service calls” to the service company as some printers report to the service company that someone should come e.g. with a new toner.
And at last you should use nmap or even OpenVAS to look at your printers, you will see ftp, http, ssh and telnet open normally. Try to talk to your printer vendor representative and make them aware that IT security for printers is a concern of you. Maybe over the time the vendors get better with their security, if enough customers care about it.