The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Undercover (& vulnerable) computers

 

By: Scott Bradner

 

This is not a new story, but it is one that not enough people know about.  It is hardly surprising that hardly a piece of electronics gets built these days without one or more computers hidden inside. What is somewhat surprising is that too many of these computers are directly addressable on your network and are running web or SNMP servers that can present significant hacking opportunities when imperfectly programmed and, in many cases, significant threats to your privacy without any hacking being required.

 

There seem to be web and SNMP servers in everything these days (For example, Google gets 373 thousand hits for "embedded web server,")  They show up in a sorts of network infrastructure gear, plug strips, home theater systems, environmental control systems, UPSs, test equipment, and, most relevant for this column, network connected printers of all kinds.

 

Some people have been worried about the security threat of having a printer with a hackable computer in it for quite a wile.  The oldest article I ran across is from 1998 (http://www.ciac.org/ciac/bulletins/j-019.shtml) and I'm sure there are far older ones.  More recently, security expert Brendan O'Connor gave a talk at last fall's Black Hat conference (http://articles.techrepublic.com.com/2100-1009_11-6102367.html) which was reported on by Bruce Schneier (http://www.schneier.com/blog/archives/2006/08/printer_securit.html).

 

The problems with devices like this fall into two types: first they create a hackable computer inside your network's security perimeter, and second, in the case of printers, they can present a major privacy and security threat.

 

The hacking problem is made significantly worse by the fact that most people do not check for software updates for printers so, even if the printer vendor were to put out a software update that includes a security fix very few printers will actually get updated.

 

But the second problem is not fixable with a bug fix because the system is working as it was designed to.  For example, many medium to high-end workgroup printers now have disk drives where they store print jobs.  They also have web servers that users can interact with to schedule when jobs are to be printed or to reprint old jobs.  Many of the printers only remove old print files when they run out of room on the disk.  (At least one printer as an extra cost option that will purge day-old files -- i.e. they want you to pay extra for them to do something that should be a standard option.)  Because the printer manufacturers seem to think that everyone in a company is a saint many of the printers let anyone who accesses the web server print any file (and with a little hacking, maybe grab the file over the net).  This means that you better not have anyone within your security envelope you would not want printing any file sent to the printer by anyone else. 

 

In all too many cases the person who installed the printer never knew it had a web server in it.  I speak from personal experience here. I just figured out that my high-end Epson photo printer includes an automatically enabled web server that is currently using the default password (which I have not figured out yet) - needless to say the printer will be off and filtered until I can find out what the password is and reset it.

 

The lesson here is to find out how overly helpful a printer is and whether it meets your security and privacy rules before you decide to buy and install it on your sensitive network.

 

disclaimer: Harvard is all about lessons and I expect this one is being learned somewhere on campus but the university has not expressed an opinion on too-smart printers -- I have.