No, it is not a trick question and, yes, your security could be compromised by the fact that you trust your printer almost implicitly. At the Black Hat Security conference this week, Brendan O’Connor proved just how insecure embedded software can be, by exploiting a vulnerability affecting Xerox printers and intercepting data from content printed by one. O’Connor managed to map an internal network, and gain access to all information printed, copied or faxed by the multi-function device, not to mention the ability to run unauthorized software on the printer itself.
So how come a printer can be targeted by such exploits, you may ask. But if you apply a little sideways logic and think of a workgroup printer as being just a Linux server inside a copier, things start to become rather clearer. And as these kinds of devices become ever more complex, then the security risk to the data that passes through increases. And as the volume of data, sensitive and often commercially so, is immense perhaps it is time you started taking this kind of ‘at the edge’ hardware security issue a lot more seriously then at present. After all, it is not a new threat, and I am sure I am not the only one who recalls reading about exactly this kind of hardware vulnerability many years ago in publications such as 2600.
In fairness to Xerox, this particular vulnerability, known as the WorkCenter Printer Bug, was patched way back in February. Unfortunately, the Black Hat demonstration would seem to suggest that the patch was not good enough and the printer remains vulnerable. Xerox has stated that it is working to fix this, and a further patch will be released. What is more, and impresses the heck out of me to be honest, is the fact that the Xerox representative who attended the demonstration was appreciative of O’Connor’s efforts in bringing the problem to light.
This in stark contrast to the reaction of Cisco last year, which reacted to a vulnerability disclosure at Black Hat 2005 by Michael Lynn with a lawsuit. This knee jerk corporate protectionism reaction does nothing to reassure public concern about security issues. By running scared of assumed public reaction, of being found out, by seeking to hide a vulnerability rather than allow such information into the public domain where it can empower users, increase risk awareness and even ultimately ensure greater accountability at developer level is short sighted in the extreme. So a big pat on the back to both O’Connor and Xerox on this occasion.
Of course, such things as the Digital Millennium Copyright Act does not exactly help the would be whistle blower by imposes restrictions on developing tools that can circumvent access controls and so help researchers uncover vulnerabilities.