This is page 2 of:
Is A Network Printer Increasing Your PCI Vulnerability?
Two things are different here. Not only is this a proven attack that can uncover user credentials remotely, but it also can provide network access to other devices that may contain sensitive data. Beyond the cleartext usernames and passwords referenced above, there are other risks. If the attacker connects to the networked printer/copier/scanner in, say, a chargeback or card processing center, the thief could remotely order scans to capture documents left on the device. The attacker may be able to get away with this activity for long periods of time, because printers usually are not subject to the types of monitoring that would normally apply to other servers.
These attacks could be executed remotely, so the hacker never needs to expose himself. Furthermore, the attack does not require particularly sophisticated techniques. It is an old-school attack on a new-school device. In my colleague’s experience, the attacks are about 90 percent successful. Too many people fall prey to a “set and forget” mentality when installing a printer—setting the password once and assuming the device is always doing everything right forever after.
IT departments can mitigate the risk of falling prey to this vulnerability in several ways. First, assume the devices are vulnerable and restrict access to them, and then segment them on their own network and protect them behind firewalls or other devices. Many companies take these precautions already, but many others allow the printers direct access to the Internet. This option makes them—and any system connected to them—particularly vulnerable, because anyone on the planet could access your unhardened network devices.
Ultimately, in the long term, it is up to the manufacturers to re-architect their products to protect the information. It also would be great if they could offer a way to retrofit additional security onto existing devices, so they at least did not store user credentials in cleartext. We can only hope that at least some manufacturers will see a marketing advantage and bring more secure devices to the market.
What do you think? Do you still think a paper jam is the biggest problem with your printer? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
February 10th, 2011 at 2:48 pm
I’m hazy on what’s being discussed here, and don’t seem to find a definitive reference.
Are you saying that there are domain-aware multifunction devices that cache domain credentials in cleartext, or are you working the angle that all other things considered, people are likely to use their domain credentials in some local store of passwords on the multifunction device?
February 11th, 2011 at 12:22 pm
Search youtube for “shmoocon printer pwnd” to a presentation on leveraging weak security controls on printers to gain network access.
February 11th, 2011 at 4:48 pm
Thanks for the comments and questions. To jml’s quetion: I was saying that these multi-function devices do indeed store credentials in cleartext, and that sometimes these are domain credentials. Since the devices are frequently open to the Internet this means the device can provide a pathway to compromise other systems.
To “the other anonymous”: Here are some sources for additional insights. MSNBC picked up the story (http://news.mobile.msn.com/en-us/article_tech.aspx?aid=41302075&afid=1) as did Technology Review (http://www.technologyreview.com/computing/27121/page1/). If you want to see the presentation made at Shmoocon, here is a UTube link (http://www.youtube.com/watch?v=MPhisPLwm2A).
February 17th, 2011 at 11:45 am
I wouldn’t think the devices would just go out and get the indormation. How about discussing where the information is coming from. Do you think that if a person writes this information on a piece of paper that the same problem exists? I can either copy what I find on the paper or scan it, OMG not its on a multifunction device.
Do you think I need to shoot my partner because she has access to information that I have secured in my desk?
This is getting insane.