Printer Pranks - SANS Internet Storm Center

Printer Pranks
We currently have a poll running about printer security, and the results so far .. well, aren't looking all that hot. So here's a little primer: 1. Most office printers aren't just printers anymore. So-called MFPs (Multi-function printers) have taken over, and they contain permanent storage (a hard drive, usually), a fax modem, etc 2. Printer default configurations invariably suck. Even nowadays, they often come with SNMP active, and read/write communities set to public/private, silly default passwords, and have lots of unnecessary protocols and ports active. 3. The PJL interface on HP printers, for example, allows access to stored content. These are both stored print and fax jobs. Yes, you can pull stored jobs off the printers, over the network, without anyone noticing. This often even includes confidential print jobs that are "protected" with a PIN. The "hacking" tools to do so were released five, six years ago (google "Hijetter", for example) but amazingly enough still work just fine in way too many environments. 4. Most printer vendors by now support a setting that allows to reliably erase print job spool files from the disk once the print job has been completed. But the default setting is to just delete the file, which means that recent print jobs and faxes can be easily recovered by forensic means. If your printer is one of these, and you sell it for second-hand use, don't be surprised if you end up in the news. The bottom line being: get an inventory of your MFPs if you don't have one come up with a config template that changes all default passwords, disables unnecessary protocols and services, and turns on "secure erase" for stale information on the MFPs hard drive apply the template to all printers in the inventory repeat You can get away with "not managing" old simple printers that have no permanent storage. But not managing MFPs will likely come back to bite you one day. If you have printer security horror stories or printer configuration tips, please share in the comments below, or via our contact form.	Daniel 385 Posts ISC Handler Dec 23rd 2011
Thread locked Subscribe	Dec 23rd 2011 1 decade ago
WE put those vulnerable SOB's on their own special vlan, one that was unable to reach anything other than that vlan. Granted, it wasn't the BEST option, but lacking vendor support against said vulnerability AND only ONE hardened server facing said vlan, it was a sufficient solution, pending a better one. Of course, said vlan didn't know what OUR network or internet looked like, but one layer beats NO layer.	Wzrd1 8 Posts
Quote	Dec 23rd 2011 1 decade ago
We too gland them off...but the time we missed one the screen on the printer soon read "the squirrel stuck in tray 2is starting to stink". The joke never gets old in our office!	Wzrd1 1 Posts
Quote	Dec 23rd 2011 1 decade ago
I worked for a university when it was the height of Napster and KaZaA was just up and coming. The "new" Xerox MFPs were quickly pwned and turned into a MP3 share servers.	Wzrd1 3 Posts
Quote	Dec 23rd 2011 1 decade ago
Yeah, those Xeroxes were pretty lame. The new ones we installed around 2005 were running Windows NT 4 SP2. When we complained, Xerox responded that we had already signed the contract and there was nothing in it about security. Of course, Facilities bought them without ever thinking to tell anyone. After all, "it's just a printer". Our weekly Nessus scan would cause them to crash so hard they needed to be unplugged from the wall to be rebooted. They had no logging so Xerox had no clue what the cause could be so they replaced them with a different model that didn't run NT 4 and life was good. While this was going on, the local Xerox security guy, the one who told me "TS, the contract is already signed" was a speaker at the local InfraGard chapter meeting. He was extolling the virtues of how secure their printers were; no doubt he was also a sales type. So I raised my hand and went over our experience in front of the group. He said I should contact him after the meeting and then left without talking to me.	Anonymous
Quote	Dec 23rd 2011 1 decade ago

We currently have a poll running about printer security, and the results so far .. well, aren't looking all that hot. So here's a little primer:

1. Most office printers aren't just printers anymore. So-called MFPs (Multi-function printers) have taken over, and they contain permanent storage (a hard drive, usually), a fax modem, etc

2. Printer default configurations invariably suck. Even nowadays, they often come with SNMP active, and read/write communities set to public/private, silly default passwords, and have lots of unnecessary protocols and ports active.

3. The PJL interface on HP printers, for example, allows access to stored content. These are both stored print and fax jobs. Yes, you can pull stored jobs off the printers, over the network, without anyone noticing. This often even includes confidential print jobs that are "protected" with a PIN. The "hacking" tools to do so were released five, six years ago (google "Hijetter", for example) but amazingly enough still work just fine in way too many environments.

4. Most printer vendors by now support a setting that allows to reliably erase print job spool files from the disk once the print job has been completed. But the default setting is to just delete the file, which means that recent print jobs and faxes can be easily recovered by forensic means. If your printer is one of these, and you sell it for second-hand use, don't be surprised if you end up in the news.

The bottom line being:

get an inventory of your MFPs if you don't have one
come up with a config template that changes all default passwords, disables unnecessary protocols and services, and turns on "secure erase" for stale information on the MFPs hard drive
apply the template to all printers in the inventory
repeat

You can get away with "not managing" old simple printers that have no permanent storage. But not managing MFPs will likely come back to bite you one day.

If you have printer security horror stories or printer configuration tips, please share in the comments below, or via our contact form.

Daniel

385 Posts
ISC Handler

Dec 23rd 2011

WE put those vulnerable SOB's on their own special vlan, one that was unable to reach anything other than that vlan.
Granted, it wasn't the BEST option, but lacking vendor support against said vulnerability AND only ONE hardened server facing said vlan, it was a sufficient solution, pending a better one.
Of course, said vlan didn't know what OUR network or internet looked like, but one layer beats NO layer.

Wzrd1

8 Posts

We too gland them off...but the time we missed one the screen on the printer soon read "the squirrel stuck in tray 2is starting to stink". The joke never gets old in our office!

Wzrd1
1 Posts

I worked for a university when it was the height of Napster and KaZaA was just up and coming. The "new" Xerox MFPs were quickly pwned and turned into a MP3 share servers.

Wzrd1
3 Posts

Yeah, those Xeroxes were pretty lame. The new ones we installed around 2005 were running Windows NT 4 SP2. When we complained, Xerox responded that we had already signed the contract and there was nothing in it about security. Of course, Facilities bought them without ever thinking to tell anyone. After all, "it's just a printer".

Our weekly Nessus scan would cause them to crash so hard they needed to be unplugged from the wall to be rebooted. They had no logging so Xerox had no clue what the cause could be so they replaced them with a different model that didn't run NT 4 and life was good.

While this was going on, the local Xerox security guy, the one who told me "TS, the contract is already signed" was a speaker at the local InfraGard chapter meeting. He was extolling the virtues of how secure their printers were; no doubt he was also a sales type. So I raised my hand and went over our experience in front of the group. He said I should contact him after the meeting and then left without talking to me.

Anonymous