|
Author: beardednose
Technorati Tag: Hacking Printers
As
more companies are deploying the multifunctional copier/printer/fax/ftp/email
machines, they are leaving themselves open to attack.
General multi-functional security issues…
One of the issues that spans most of these types of machines
across the manufacturers is that the audit trails are almost
non-existent. In other words, you can ftp or email any document
you want across the Internet (to a competitor or other evil-intentioned
folk) without a full audit trail. Most of the machines will
provide the ftp site or email address that the message was
sent to, but the sender is not identified. A couple of manufacturers
allow you to assign everyone a user ID code (usually 3 or
4 digits) that you have to enter to send anything, but I haven't
seen this implemented at any of the companies I've visited.
So what? Folks have been faxing things out without an audit
trail for years with a regular fax machine. True, but that
the fact that something is generally accepted doesn't mean
that it's a good security practice (people successfully speed,
run red lights, do dope, and refuse to apply security patches
all the time).
Of course, today you can fax out from the privacy of your
desk, but most of the turnkey systems today will save a copy
of all faxes for later review and provide a good audit trail.
Faxing from the multi-functional provides essentially none,
even when using most of the fax clients (usually a web browser
client) that come with the multi-functionals.
Furthermore, most multi-functionals allow you to use their
ftp and email clients from your desk (no standing at the machine
while that lanky security admin watches). Zip, it's gone!
Anyone can view the network configuration parameters (IP address,
name of email server, etc.). This is also true of most printing
devices (HP printers, for example). This can be locked by
configuring an administrative password on the unit console,
but all users will still be able to see the network configuration
via the web browser.
Also, the folks that connect these babes to the network don't
usually
bother changing the password that allows admin access
to the device via the web browser, ftp, and telnet (what the
heck is telnet? the secretary will ask). Of course, with admin
access you can then have fun changing the IP addresses, subnet
mask, or gateway of the printer to disable it; or better,
if the ftp or SMTP options aren't configured, you can configure
them and have your very own pipe out of the company (but your
company's firewall is configured to block any ftp or SMTP
traffic not coming from the appropriate devices, so that won't
work anyway, right?)
Another issue is the large disk drives these machines have,
where many of the printouts, scans, and email and ftp files
are stored. It's just another place for the feds to check
for incriminating evidence about your monopolistic compromises.
Or in some cases, if you can ftp to the machine, those files
are all YOURS!
Specific vulnerabilities…
While several of these types of machines are vulnerable (regardless
of whether you change the admin password and require user
ID codes), the Imagistics (www.imagistics.com) DL370 is especially
poorly developed. Other Imagistics machines in this line use
the same “scan engine” (as the manufacturers like to call
them) and are probably vulnerable, but I have only tested
the DL370. I heard that Imagistics stopped using this scan
engine due to all the security issues, supposedly made by
Minolta, for some other engine (not sure whose). I have searched
the Internet and have found nothing related to this specific
device, so I believe I am the first to discover and/or post
this information.
Regarding the Imagistics DL370…
1. This device has three separate administrative accounts
and passwords: one for the unit console, one for the web browser
administrative functions, and one for telnet access. The unit
console's account/password is not enabled by default; the
web browser and telnet accounts/passwords are enabled by default.
The default account/password for all 3 services on the machine
I examined was admn/admn, but I believe the vendor changes
this before install.
2. Administrative functions (such as changing device settings
or setting up email addresses, FTP sites, and fax numbers)
require an administrative password to be entered. Once entered,
the password is stored in the URL in clear text (even after
closing the browser and logging off the PC).
To see the password, log in with the admin password (or get
the PC used by the administrator of the device), and then
backspace over the last character in the URL (in the URL bar
at the top of the browser). Scroll down. Look for the URL
that says pwd= (can you imagine a Help Desk person accessing
the admin console from a user's PC to look at an issue and
then walking away, without realizing that they leave the admin
password behind?).
3. If you save the device settings to your hard drive (under
System, Preferences) and open the .bin file with Notepad,
it reveals the admin password in clear text (first word in
the file). Any user can do this with only user access!
4. The web browser function on this unit cannot be turned
off. So #2 and #3 above are always available! 
If you have an Imagistics Lax machine (especially the higher
numbered versions), check them out and report back. |
