Printers can be hacked and used to launch denial of service attacks or compromise employee details over the web, a security expert warned last week.
Richard Brain, technical director at security consultancy Procheckup, said network printers could be hacked. "As an example, we accessed company networks by browsing from their proxy server and could view all their printers and print pages," he said.
Brain's team were able to view the internal IP addresses of printers as well as the name, phone number and e-mail address of the person the IT department had down for support purposes.
Few printers are password-protected, so any intruder can access printer functionality. "You can also change configurations and document settings and shut a printer down for the annoyance factor," said Brain.
He added that it was possible to launch a distributed denial of service attack from corporate printers that have their own IP addresses and web interfaces with no password protection. "The worst thing I can think of is the printer might be able to make a 'bounce' denial of service attack. A proxy and multiple IP addresses can be used to attack other machines."
Alan Clark, European product marketing manager for Xerox's Office Group, said it was theoretically possible to compromise the security of a printer or multifunction device through the browser interface, and even launch a denial of service attack.
But, he added, "There are easier ways to launch attacks once inside a company's network. With most printers, management is on the inside and the breach would have to be at server-level."
Clark advised companies to ensure they had suitable security at the proxy server. "Printer security is becoming more and more important with the sensitivity of data and networks becoming more and more critical, certainly with larger organisations," he said.
"Some printers are typically portals for producing paper and the devices are becoming more and more flexible for users. For example, you can set the machine to automatically tell an administrator to re-order supplies, but you do not have to populate the device with e-mail and phone number information. There is a trade-off between usability and security."
Clark also said that Xerox's multifunction devices were starting to adhere to a new office equipment security standard from the US government's National Information Assurance Partnership.
Nick Shuttleworth, multifunction printers product manager at HP UK, said, "HP provides a number of comprehensive steps to lock down access via a number of security levels, password control and access lists."