Richard Brain, technical director at security consultancy Procheckup, said it was possible to hack network printers. "As an example, we have accessed company networks by browsing from their proxy [server] and we can view all their printers and print pages," he said.
Tests conducted by Brain's team showed that it was possible to view the internal IP addresses of the printer, the person's name, their phone number and e-mail address if the information has been configured for support purposes.
He said few printers used passwords for protection, which means that anyone breaking in can access printer functionality. "You can also change configurations and document settings and shut a printer down for the annoyance factor," he said.
Brain added that it is possible to launch a distributed denial of service attack from corporate printers that have their own IP addresses and web interfaces with no password protection. "The worst thing I can think of is the printer might be able to make a 'bounce' denial of service attack. A proxy and multiple IP addresses can be used to attack other machines," he said.
Alan Clark, European product marketing manager for Xerox's Office Group, said that theoretically it is possible to compromise the security of a printer or multifunction device through the browser interface, and even launch a denial of service attack. However, he added, "There are easier ways to launch attacks once inside [a company's network].
"With most printers, management is on the inside and the breach would have to be at server level. Companies should make sure they have suitable security at the proxy server.
"Printer security is becoming more and more important with the sensitivity of data and networks becoming more and more critical, certainly with larger organisations.
"Some printers are typically portals for producing paper and the devices are becoming more and more flexible for users. For example, you can set the machine to automatically tell an administrator to re-order supplies, but you do not have to populate the device with e-mail and phone number information. There is a trade-off between usability and security," said Clark.
He said Xerox's multifunction devices are starting to adhere to a new office equipment security standard from the US government's National Information Assurance Partnership.
Nick Shuttleworth, multi-function printers product manager at HP UK, said, "HP provides a number of comprehensive steps to lock-down access via a number of security levels, password control and access lists."