No, it is not a trick question and, yes, your security could be compromised by the fact that you trust your printer almost implicitly. At the Black Hat Security conference this week, Brendan O’Connor proved just how insecure embedded software can be, by exploiting a vulnerability affecting Xerox printers and intercepting data from content printed by one. O’Connor managed to map an internal network, and gain access to all information printed, copied or faxed by the multi-function device, not to mention the ability to run unauthorized software on the printer itself.

So how come a printer can be targeted by such exploits, you may ask. But if you apply a little sideways logic and think of a workgroup printer as being just a Linux server inside a copier, things start to become rather clearer. And as these kinds of devices become ever more complex, then the security risk to the data that passes through increases. And as the volume of data, sensitive and often commercially so, is immense perhaps it is time you started taking this kind of ‘at the edge’ hardware security issue a lot more seriously then at present. After all, it is not a new threat, and I am sure I am not the only one who recalls reading about exactly this kind of hardware vulnerability many years ago in publications such as 2600.

In fairness to Xerox, this particular vulnerability, known as the WorkCenter Printer Bug, was patched way back in February. Unfortunately, the Black Hat demonstration would seem to suggest that the patch was not good enough and the printer remains vulnerable. Xerox has stated that it is working to fix this, and a further patch will be released. What is more, and impresses the heck out of me to be honest, is the fact that the Xerox representative who attended the demonstration was appreciative of O’Connor’s efforts in bringing the problem to light.

This in stark contrast to the reaction of Cisco last year, which reacted to a vulnerability disclosure at Black Hat 2005 by Michael Lynn with a lawsuit. This knee jerk corporate protectionism reaction does nothing to reassure public concern about security issues. By running scared of assumed public reaction, of being found out, by seeking to hide a vulnerability rather than allow such information into the public domain where it can empower users, increase risk awareness and even ultimately ensure greater accountability at developer level is short sighted in the extreme. So a big pat on the back to both O’Connor and Xerox on this occasion.

Of course, such things as the Digital Millennium Copyright Act does not exactly help the would be whistle blower by imposes restrictions on developing tools that can circumvent access controls and so help researchers uncover vulnerabilities.

Recommended Answers

All 3 Replies

The "researchers" you are talking about are the crackers who would use such tools to steal corporate secrets and commit sabotage.
And they don't care a gnat's ass about the DMCA (or any other law).

And there's no telling whether this printer was updated with current firmware or not.
Most likely (given the state of most company networks when it comes to applying software patches) it was still running the exact same version it did when it was uncrated on delivery.
That's the massive fallacy people get trapped by when they cry foul about the latest piece of malware infecting their systems about software manufacturers not supplying updates. The updates are usually there weeks or months before any vulnerabillity is exploited, but users fail (either through negligence or policy or both) to install them.

Some cases in point as examples.
1) at a former employer we had one of our servers seriously compromised (it was in fact wiped clean). On analysis we discovered the saboteur had come in on a vulnerabillity in Apache a patch for which had been released 2 years prior but had not been installed. Everyone responsible for such things had simply forgotten that the machine was exposed to the outside world and never bothered installing any updates at all. It was a ticking timebomb, pure luck was the only reason it didn't get hit sooner.

2) at a former customer they had a policy to never install any software that was not at least 1 major release, 1 minor release, 1 fixlevel, and 1 patchlevel old.
As a result they left themselves open to quite a lot of security problems.
Ironically, that policy was inspired by a sysadmin who was of the opinion that the latest version of anything was always too unstable to be secure and it would take at least one more release to fix all the holes.

The "researchers" you are talking about are the crackers who would use such tools to steal corporate secrets and commit sabotage.

That is, to be fair, unfair.

There is a big difference between security researcher and hacker/cracker. Most security professionals that I have spoken to, albeit thanks to my husband being involved in this side of the IT business, have tended to suggest that events such as the Black Hat conference are good things.

I doubt that the demonstration happygeek talks of would have been carried out on an unpatched device, especially as the man from Xerox was present and apparently impressed.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.