Study: Common printers in enterprises are vulnerable to hacking
A new study has found that printers commonly used in enterprise environments are a security risk that can be exploited to leak information and execute code.
The study, Exploiting Printer Security from Ruhr-Universität Bochum researcher Jens Müller, analyzed 20 printers and multi-function printers to find that every single printer tested had at least one exploitable security vulnerability.
Testing of the printers, which included units from HP, Brother, Lexmark, Dell, Samsung, Konica, OKI and Kyocera, found that the vulnerabilities were primarily due to vendors failing to separate page description languages such as PostScript and PJL/PCL that are used to generate the output from printer controls. “Potentially harmful commands can be executed by anyone who has the right to print,” Müller noted in the paper.
The attacks described in the study can be launched through USB, remotely over the local network or from the Internet via a malicious website using cross-site printing and cross-origin resource sharing spoofing. Using PostScript and Printer Job Language commands, an attacker can access entire file systems from some printers, including passwords for the embedded web server.
The HP LaserJet 1200, 4200N and 4250N along with the Dell 3130cn and Samsung Multipress 6345N were also found to have a vulnerable line printer daemon service that cannot handle usernames with 150 or more characters, meaning that sending a long username to the LPD service causes the printer to crash, and with the correct shellcode and return address, the vulnerability could be used for remote code execution.
Müller said that he had advised the vendors of his findings. But given that some of the vulnerabilities have been known for more than a decade, it appears that printer makers aren’t much concerned and haven’t been taking printer security seriously.
Image: 29233640@N07/Flickr/CC by 2.0
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU