This story appeared on Network World at

http://www.networkworld.com/columnists/2007/042307bradner.html

Undercover (and vulnerable) computers

By Scott Bradner, Network World, 04/23/07

It is hardly surprising that few pieces of electronics get built these days without one or more computers hidden inside. What is somewhat surprising is that too many of these computers are directly addressable on your network and are running Web or SNMP servers that can present significant hacking opportunities when imperfectly programmed. In many cases, they can also present significant threats to your privacy without any hacking required.

There seem to be Web and SNMP servers in everything (for example, Google gets 373,000 hits for "embedded Web server"). They show up in all sorts of network infrastructure gear, plug strips, home theater systems, environmental control systems, UPSs, test equipment, and, most relevant for this column, network-connected printers.

Some people have worried about the security threat of having a printer with a hackable computer in it for quite a while. The oldest story I ran across is from 1998 and I'm sure there are much older ones. More recently, security expert Brendan O'Connor gave a talk at last fall's Black Hat conference, which was reported on by Bruce Schneier

There are two problems these devices: they create a hackable computer inside your network's security perimeter, and in the case of printers, they can present a major privacy and security threat.

The hacking problem is made significantly worse by the fact that most people do not check software updates for printers. So even if the printer vendor were to put out a software update including a security fix, very few printers will get updated.

But the second problem cannot be addressed with a bug fix because the system is working as it was designed. For example, many medium to high-end workgroup printers now have disk drives where they store print jobs. They also have Web servers that users can interact with to schedule when jobs are to be printed or to reprint old jobs. Many of the printers only remove old print files when they run out of room on the disk. (At least one printer has an extra cost option that will purge day-old files -- the vendor wants you to pay extra for something that should come standard.)

Because printer manufacturers seem to think that everyone in a company is a saint, many of the printers let anyone who accesses the Web server print any file (and with a little hacking, maybe grab the file over the 'Net).

In many cases the person who installed the printer never knew it had a Web server in it. I speak from personal experience after just figuring out that my high-end Epson photo printer includes an automatically enabled Web server that is using the default password, which I have not figured out yet. Needless to say, the printer will be off and filtered until I can find out what the password is and reset it.

The lesson here is to find out how overly helpful a printer is and whether it meets your security and privacy rules before you buy and install it on your sensitive network.

Disclaimer: Harvard is all about lessons and I expect this one is being learned somewhere on campus. But the university has not expressed an opinion on too-smart printers -- I have.