Printers can be hacked and used to launch denial of
service attacks or compromise employee details over the web, a
security expert warned last week.
Richard Brain, technical director at security consultancy
Procheckup, said network printers could be hacked. "As an example,
we accessed company networks by browsing from their proxy server
and could view all their printers and print pages," he said.
Brain's team were able to view the internal IP addresses of
printers as well as the name, phone number and e-mail address of
the person the IT department had down for support purposes.
Few printers are password-protected, so any intruder can access
printer functionality. "You can also change configurations and
document settings and shut a printer down for the annoyance
factor," said Brain.
He added that it was possible to launch a distributed denial of
service attack from corporate printers that have their own IP
addresses and web interfaces with no password protection. "The
worst thing I can think of is the printer might be able to make a
'bounce' denial of service attack. A proxy and multiple IP
addresses can be used to attack other machines."
Alan Clark, European product marketing manager for Xerox's
Office Group, said it was theoretically possible to compromise the
security of a printer or multifunction device through the browser
interface, and even launch a denial of service attack.
But, he added, "There are easier ways to launch attacks once
inside a company's network. With most printers, management is on
the inside and the breach would have to be at server-level."
Clark advised companies to ensure they had suitable security at
the proxy server. "Printer security is becoming more and more
important with the sensitivity of data and networks becoming more
and more critical, certainly with larger organisations," he
said.
"Some printers are typically portals for producing paper and the
devices are becoming more and more flexible for users. For example,
you can set the machine to automatically tell an administrator to
re-order supplies, but you do not have to populate the device with
e-mail and phone number information. There is a trade-off between
usability and security."
Clark also said that Xerox's multifunction devices were starting
to adhere to a new office equipment security standard from the US
government's National Information Assurance Partnership.
Nick Shuttleworth, multifunction printers product manager at HP
UK, said, "HP provides a number of comprehensive steps to lock down
access via a number of security levels, password control and access
lists."