Multi Function Printers – A Security Risk

1 03 2012

Today’s market place is flooded with solutions geared to ensure security for servers, desktop, laptop and other portable devices. However limited availability of printer security solutions suggests that customers are either unaware or underestimate the risk associated with such devices.

Despite the advancements in printer technology and the advent of Multi Function Printers (MFP), the general perception seems to be that the printer is a dummy device. Contrary to the popular belief, printers are smart machines that run windows or Linux-based operating system kernels[1] capable of running network services. These printers are equipped with internal hard drives[2] and store a digital copy[3] of the jobs executed. In some circumstances the MFP’s act as special purpose servers.

The flow and storage of sensitive corporate data through MFP makes it an object of interest for potential hackers. My blog is an attempt to highlight how the corporate data can inadvertently get compromised through MFPs.

Following are some of the ways in which the corporate date is vulnerable to exposure through MFPs:

a.  Hard drive (HD): With physical access to the HD, attacker could read and potentially exploit the content. Manufactures are starting to either encrypt the data or wipe the data after use.  However, these are half-baked solution which can be circumvented using off-the-shelf commercial decryption software. I learned that last year, CBS along with Sacramento based company Digital Copier Security[4] demonstrated such capability to their viewers. Following are examples[5] of the sensitive data they were able to extract from recently refurbished MFP available for sale:

  • from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.
  • from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders
  • from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.
  • from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

b.  Spyware: IF the attacker is able to gain physical access to the MFP, then he may be able to bug the equipment by either modifying the firmware or installing a sniffer[6] device. This way the attacker is able to tap the data flowing through the MFP. If done correctly such breach is difficult to detect. Once access is gained the attacker has to be careful to not trigger alarms by downloading large amounts of data. For example recently a news piece detailing security breach at Nortel[7] came to light. In this instance, the data hack continued for 10 years without being noticed. The hacker was careful not to alert the system by downloading excess data. In one instance he even discontinued his activity for few months forcing the authorities to go cold on his chase.

c.  Laptop:  If an attacker is able to access the printer then he can intercept print jobs, launch attacks on other devices which are configured to trust the compromised printer.

d.  Web based administration: Vendors advertise that users can remotely administer printers using a web browser. Enabling remote administration involves implementing a scaled down version of popular embedded web server (EWS). Long lead times result in a product with known vulnerabilities to be released in the market. This results in data security issues that remain unaddressed because the users may be unaware.

e.  Telnet[8]: Some MFP devices do not set a password for telnet access when the administrator password is chosen. “As a result, the telnet port will be left exposed to unrestricted remote access. Remote users with malicious intent will be able to access the device to cause a denial of service, or potentially monitor printer activity to gather information that may be used to compromise systems. Additionally, this problem is compounded by the fact that the admin password is reset when the device is rebooted”.[9]

f.  Printer Job Language (PJL): PJL is an extension of printer command language (PCL) and has ability to control printer configuration and file system. It supports simple password implementation which “can be broken in less than 6 hours by brute force[10]. The power of PJL is well demonstrated in the article “Hacking” Printers – PJL Basics [11]where an attacker could easily modify printer configurations including IP address, browse file on the hard drive, extract admin password etc.

g.  Simple Network Management Protocol (SNMP): SNMP’s simplicity makes it a popular choice for the network management. Before we explore SNMP’s vulnerabilities following is a quick synopsis of how does SNMP work:

“SNMP employs only three general types of SNMP operations. Get requests retrieve management data from the device, set requests modify the remote device’s configuration, and trap messages let a device send asynchronous notification and signal condition changes.”[1]

SNMP vulnerabilities revolve around trap handling (VU#107186[1]) and request handling (VU#854306[2]). Since UDP (primary communication protocol in SNMP) source address can be easily spoofed[3], attacker can send messages from authorized network management station (NMS) and shutdown printers. Thus these vulnerabilities could lead to denial of service attacks, format string vulnerability, and buffer overflows[4].

h.  Backdoors: Vendors build backdoor access to service printers and make it obscure for the users. However, such backdoors don’t remain obscure for too long and attackers exploit such vulnerabilities. Backdoor access is typically designed to help administrator with configurations and unauthorized access could result in serious security breach. To further compound the problem, once such backdoors are exposed it is cost prohibitive for vendors to fix such breaches as they have to redesign and deploy the patch.

As demonstrated above, a simple network device like MFP can be source of major data security breach. Understanding the threat is the first step to addressing the issue that so often goes unnoticed.

In my next blog, I plan to discuss mitigation strategies and best practices.

[1] News Reports Can Help Inform Your Printer Security Strategy, 6 December 2011, Gardner Research

[2] Digital Photocopiers Loaded With Secrets; By Armen Keteyian April 20, 2010 9:35 PM

[6] Printer Insecurity: Is it Really an Issue? SANS Institute InfoSec Reading Room; Vernon T. Vail May 28, 2003

[7] 8 Lessons From Nortel’s 10-Year Security Breach – By Mathew J. Schwartz   InformationWeek February 17, 2012 12:12 PM

[8] Printer Insecurity: Is it Really an Issue? SANS Institute InfoSec Reading Room; Vernon T. Vail May 28, 2003

[9] HP JetDirect JetAdmin Password Vulnerability –

[10] Printer Insecurity: Is it Really an Issue? SANS Institute InfoSec Reading Room; Vernon T. Vail May 28, 2003

[11] “Hacking” Printers – PJL Basics Thursday, December 1, 2011  –

[12] US-CERT (United States Computer Emergency Readiness Team) Vulnerability Note VU#107186 –

[13] US-CERT (United States Computer Emergency Readiness Team) Vulnerability Note VU#854306

[14] Multiple Vulnerabilities in SNMP – Guofei Jiang, Institute for Security Technology Studies (ISTS), Dartmouth College

[15] Multiple Vulnerabilities in SNMP – Guofei Jiang, Institute for Security Technology Studies (ISTS), Dartmouth College

[16] Multiple Vulnerabilities in SNMP – Guofei Jiang, Institute for Security Technology Studies (ISTS), Dartmouth College