T 4.64 Complexity of printers, copiers, and all-in-one devices

Nowadays, network printers, high-performance copiers and all-in-one devices are complex IT systems. They not only offer a wide range of equipment and an expanded range of functions, but they can also introduce new risks to other IT systems or the LAN.

Local administration interfaces

On some printers and all-in-one devices, access to the administration interface cannot be secured, meaning it cannot be protected against unauthorised access using a password query. With administrator rights, an attacker could manipulate the printer so that it does not accept any print jobs or writes all print jobs received to an internal memory for viewing at a later time, for example.

Administration via LAN

Network printers and all-in-one devices can generally be administered over the local network as well. If access protection is impossible or was not set up, then the data in the printer could be read out or manipulated due to the lack of access protection. In some cases, this is not only possible from workstations on the local network, but also from the Internet. Some printers even have a Java engine that permits the installation and execution of any Java program as well as Java configuration applets on the printer. In addition to the ability to manipulate printer settings and print jobs, this also provides a wide range of attack possibilities on a local network that can be carried out over a printer.

Integrated web servers

Many network printers and high-performance copiers now have built-in web servers intended to make administration easier. Ease-of-use in this case comes at the cost of additional risks. For example, printers with integrated web servers were forced to crash in the past due to a side-effect of a worm attack ("Code Red") even though they were not affected by the actual attack of the worm. Some manufacturers do not offer any possibility of securing web access to the printer administration and restrict access to authorized persons only, for example. The web interface is often neglected during configuration so that internal or even external persons are able to manipulate the printer configuration and usage, depending on how it is connected to the existing network. For example, any user of the printer could accidentally or intentionally delete other people's print jobs or adversely affect the availability of the printer. Some web servers in printers also return diagnostic data when an excessively long URL is entered. This data can then be the basis for the development of attack programs.

Unencrypted communication with the administration

HTTP(S), Telnet or SNMP (Simple Network Management Protocol) are often used as the protocols for configuration.

In case of access via HTTP or Telnet, information is not protected during transmission. In this case, an attacker could listen in on the communication and therefore read the password for configuration. This password could then be used for a number of attacks on the confidentiality, availability, and integrity if no other safeguards are implemented.

In addition to configuration by the administrator, user access to the web servers on printers is also often desired. The users could then, for example, cancel their print jobs or check if the printer is processing any other print jobs at the time. However, the users will also be able to see what kinds of documents other employees are printing out. Usually, the file name of the document to be printed can be seen, for example "Application_CompanyNextDoor.doc". If an attacker is able to read the passwords of the other users transmitted in plain text, then the attacker could view or cancel the print jobs of other users or redirect the printout to another printer. Users usually repeat the print operation until the document is printed out on their favoured printer. In this case, documents from sensitive areas can get into the hands of unauthorised persons without being noticed.

Special printer services and usage environments

Various manufacturers have implemented an address book function into their network printers for integrated sending of e-mails or faxes. When such functions are used, it is difficult to ensure that data will not be passed on to unauthorised persons via the printer and onto the Internet, for example.

Many printers can also be controlled via ftp and with anonymous access via LDAP. This could be used by any user in the local network to manipulate the printer. Some manufacturers even offer free additional software over the Internet that can be used to bypass, for the most part, the password assigned for printer configuration. In most cases, access to the configuration of the printer is not restricted after delivery by the manufacturer. In some operating systems, network printers can be configured using a domain assignment in addition to configuration via LDAP. In this case there is a risk that unauthorised persons on LAN servers could obtain administrator rights for the printer.

For some purposes, it may make sense to connect the printer over a wireless network or to use wireless printers directly. Wireless transmissions of this type also need to be protected appropriately against eavesdropping, falsification of data, manipulation of the printer configuration, disruption of the connections and other security problems.

Software errors

Errors in the implementation of printer drivers can also affect the security of a workstation computer. Security vulnerabilities have been found that made it possible for users with normal user rights to gain administrator rights due to a faulty printer driver.

The lpd printer daemon often used in Unix is sensitive to buffer overflows in several versions. This makes it possible, for example, to initiate denial of service attacks or to start program code with root rights from remote computers. Another hazardous function in Windows ME was the automatic installation of all shared printers in the network. In this case, files were automatically transferred from external printers and operating systems and then installed on the computer running Windows ME. It was therefore easy to attack the operating system by executing VXD files.

Examples:

• An attacker redirects a certain printout to a printer that the user normally does not use. In this manner, the attacker can also view documents with a higher protection level in terms of their confidentiality. The user cannot find the desired printout on the printer and assumes there are technical problems. Without even thinking that an attack could be the reason, the user generates a new printout, which he then picks up from his normal printer.
• The "Bugbear" worm has been known of since the end of September 2002. It spreads through e-mails and network shares. A possible side-effect of "Bugbear" is that print jobs with nonsensical contents are automatically sent to all shared network printers and are then sometimes also printed. The results are, among others, blocked printers or a waste of consumables.