Multifunction Printers: The Forgotten Security Risk?

eweekhickins writes to share an article *snip* highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy.

"The biggest issue isn't a lack of (software or physical) security regarding the machine, but a lack of a security policy in these instances.

At our institution, machines have unique names, unique passwords (when they have to scan to a network drive), and are behind the campus firewall. But a user could get one, hook it up (putting it behind the firewall) and not change the default password and we'd 1) be none the wiser and 2) have no control over the machine. If a department gets one, it's their printer, not ours.

Still, with client-side antivirus and firewalls, and the control we have over the servers (for a multifunction printer to be able to scan to a server, it has to be given specific access, which doesn't happen lightly), it doesn't seem like being able to access the web interface can pose a whole lot of a threat.

An attacker could potentially waste a ream of paper or two, a bit of toner, but I don't foresee any major consequences."

how do you get an anti-virus program for a single multifunction printer?

You don't. Not now anyway. Which is ok, as you don't need one, yet anyway.

If I were managing printers inside the Pentagon, or inside a major defense contractor, I'd be thinking really carefully about this one. And if I were managing IT inside a big company, I'd be doing as the article suggests, starting to talk up my printer vendors on this, to see what story they have, to begin to encourage them to actually get a clue, and to begin to reward those who take this seriously with more business.

But I see no evidence that this is the year that those of us in small, mundane businesses, or those of us at home or in home offices, should worry. I'll be spending about as much time worrying about this as I worry about threat vectors for Lockheed C-5A Galaxy transports.

Besides, even if it was the year for us ordinary folks to worry about this, there ain't a damn thing you can do yet, except that which would be more effort than it was worth, and require specialized expertise that few have.

Printers are certainly potential threat vectors. They are special purpose computers sitting on the network, ill managed and fully equipped. But (1) the potential isn't being realized yet -- crackers haven't mounted widespread attacks using them yet, and (2) nor are the practical protections there yet either -- neither printer nor security vendors have much to sell you here, nor do us Open Software hackers have much for you to download, compile and mess with yourself, that any ordinary person would find useful.

Is there any way to protect a single multifunction printer

No practical way, no real need, not this year, and probably not next year either.

If you're a Gold Star member of the tin foil hat society, or if you choose (for reasons of modest income or of Green persuasions) to pinch pennies, I suppose you could leave your printer powered off when you aren't using it.

You could put a router, custom configured, in front of your printer to keep out all but print traffic. That's actually doable, and would block much of the potential risk. Your time would be better spent taking a walk and enjoying the sunset.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.