Comments on: Hacking Devices – Ensuring your printer is secure http://www.gfi.com/blog/hacking-devices-ensuring-printer-secure/?utm_source=rss&utm_medium=rss&utm_campaign=hacking-devices-ensuring-printer-secure Brought to you by GFI Software Fri, 13 Sep 2013 13:27:20 +0000 hourly 1 By: Emmanuel Carabott http://www.gfi.com/blog/hacking-devices-ensuring-printer-secure/comment-page-1/#comment-436 Emmanuel Carabott Thu, 26 Nov 2009 10:04:19 +0000 http://www.gfi.com/blog/?p=1597#comment-436 Of course you are right in that an end user will not buy an enterprise printer. However nowadays they don’t need too. For $100 – $200 you can buy not only network printers but also WIFI enabled printers. If a non-technical person buys a printer, he will do so according to his requirements. If he intends to hook it up at work it’s likely that he will not be able to use USB due to restrictions; or he just believes that it should be network simply because all other company printers work that way. In the future it’s very possible that it might get even worse in that a feature included on one printer will be included on other printers by manufacturers so as to appear on par or better than their competition; therefore WIFI is sure to spread among printers.

Obviously it is a lot less likely that an employee buys a printer of his own accord and just hooks it up at work. However it does happen. One instance is all it takes. It is also unlikely that a cheap printer will have a functionality such as storing copies locally of printed documents, but you don’t know what vulnerabilities it might have. Some time ago I did come across a vulnerability in a printer driver that allowed remote access to any file on the machine on which it was installed.

Don’t get me wrong, I know all this basically borders on paranoia… well actually it’s more like right in the middle of it; unfortunately in security that’s exactly where you need to be. One weak link is all it takes for all your hard work to crumble.

Finally I perfectly agree with your suggestions. Permissions can definitely help to mitigate this risk and a security procedure on device management can ensure that proper security consideration are considered when installing devices. I would also add monitoring to your list just to be on the safe side.

As for upnp and bluetooth you’re spot on there as well. Might be a good topic to discuss in a future article. Thanks :)

]]> By: Leandro Amore http://www.gfi.com/blog/hacking-devices-ensuring-printer-secure/comment-page-1/#comment-415 Leandro Amore Fri, 20 Nov 2009 20:58:36 +0000 http://www.gfi.com/blog/?p=1597#comment-415 Nice post, but although I agree with you in the dangers of unsecure devices, I really don’t think that every person is in danger. I don’t know the consumer habits in your country, but in Argentina it’s not common to buy enterprise printers for personal use so I don’t really see the problem for that kind of users.
Regarding the enterprise there are two points to be taken into consideration:
1. The minimum permissions to install a local printer are Local Admin or power user (with the load/unload driver permissions). So, if a company grants those permissions to any user there are bigger problems to be taken care first.
2. I agree with you that even if installed by IT Professionals, in most cases printers are not taken into considerations from a security point of view. So it’s really important for the security department to write a secure procedure for printer installation and attack surface reduction. We don’t always need all the services that these hardware offers.
Every device, not only printers, should be tested and analyzed by a competent IT Pro before installing it in our networks. Nowadays, most hardware offers lots of new and really comfortable services, but these comfort usually relaxes security.(For example Upnp or bluethooth.)

]]>