> From: fv96-pjo at nada.kth.se (Patrik Johansson)
> Newsgroups: alt.security
> Subject: *** Unprotected printers - a security risk?
Good points, Patrik, to say nothing about consumption of paper media (ie
defensive, pro-active accounting controls) by people you don't want to
print (an even bgger problem with internet printing) This was proposed to
the "experts" who feel that it is not needed, even though buildings,
photocopiers, cars and most other things have some kind of access
control. This formally proposed as part of the IETF MIB for the new
generation of printers but failed for reasons that are not quite clear.
The same goes for packet sniffing the data going to the printer for
industrial espionage and for printers that have special media (colour or
cheque printer). All of these are ignored, despite common requests.
HP added a simple password for Telnet but this is not enough IMHO. This
will continue thanks to the efforts of printer manufactuer marketing
departments who want to ensure they don't do anything that might add value
to their products and give them a market advantage. Innovation is clearly
frowned upon, especialy with the strong NIH (NOT INVENTED HERE) mentality
as are posts of this nature, being regarded as "unprofessional" (whatever
I would not worry about the printers being permanentlt mucked up because
most are hard burned with OTP's, but constant administration of the
(altered) settings is a time wasting and costly activity.
>> A couple of weeks ago, at a seminar about network security, I talked with
> a security consultant who claimed to know about a security flaw in our
> network which made it possible for him (or anyone else for that matter) to
> ²crash² our network. I were a bit surprised by his statement, since he had
> never met me before and didn¹t even know what company I represented. I
> asked him how he could be so sure about that and he smiled and replied
> ²You have printers, don¹t you? Have you protected them?². Then he left.
>>> I dismissed him as yet another idiot and didn¹t think more about it until
> a few days ago when I installed a new printer in our network. As I were
> configuring printer settings, like name, communication parameters etc.
> using a printer utility software, his words came back to me and started to
> realise what he was talking about. Printers facing the same risks as
>>> If I could change all settings in the printer, so could anyone else on the
> network. In other words, anyone with access to our network could crash all
> our printers, using a simple printer utility. And, restarting the printers
> wouldn¹t help, since the settings are stored in permanent, EEPROM memory.
> Big problem.
>>> Considering that most companies have unprotected printers (according to
> people I¹ve talked to) this brings up a number of interesting questions
> concerning printers and network security:
>>> Are printers a security risk? Should I worry? Is it possible to create a
> ²printer virus², i.e. a computer virus attacking printers? Does printer
> viruses exist today? How can I protect our printers? Etc...