Thursday, August 28, 2008

Hacking Multi-Functional Printers

As more companies are deploying the multifunctional copier/printer/fax/ftp/email machines, they are leaving themselves open to attack.

General multi-functional security issues…

One of the issues that spans most of these types of machines across the manufacturers is that the audit trails are almost non-existent. In other words, you can ftp or email any document you want across the Internet (to a competitor or other evil-intentioned folk) without a full audit trail. Most of the machines will provide the ftp site or email address that the message was sent to, but the sender is not identified. A couple of manufacturers allow you to assign everyone a user ID code (usually 3 or 4 digits) that you have to enter to send anything, but I haven't seen this implemented at any of the companies I've visited.
So what? Folks have been faxing things out without an audit trail for years with a regular fax machine. True, but that the fact that something is generally accepted doesn't mean that it's a good security practice (people successfully speed, run red lights, do dope, and refuse to apply security patches all the time).

Of course, today you can fax out from the privacy of your desk, but most of the turnkey systems today will save a copy of all faxes for later review and provide a good audit trail. Faxing from the multi-functional provides essentially none, even when using most of the fax clients (usually a web browser client) that come with the multi-functionals.

Furthermore, most multi-functionals allow you to use their ftp and email clients from your desk (no standing at the machine while that lanky security admin watches). Zip, it's gone!

Anyone can view the network configuration parameters (IP address, name of email server, etc.). This is also true of most printing devices (HP printers, for example). This can be locked by configuring an administrative password on the unit console, but all users will still be able to see the network configuration via the web browser.

Also, the folks that connect these babes to the network don't usually
bother changing the password that allows admin access to the device via the web browser, ftp, and telnet (what the heck is telnet? the secretary will ask). Of course, with admin access you can then have fun changing the IP addresses, subnet mask, or gateway of the printer to disable it; or better, if the ftp or SMTP options aren't configured, you can configure them and have your very own pipe out of the company (but your company's firewall is configured to block any ftp or SMTP traffic not coming from the appropriate devices, so that won't work anyway, right?)

Another issue is the large disk drives these machines have, where many of the printouts, scans, and email and ftp files are stored. It's just another place for the feds to check for incriminating evidence about your monopolistic compromises. Or in some cases, if you can ftp to the machine, those files are all YOURS!

Specific vulnerabilities…

While several of these types of machines are vulnerable (regardless of whether you change the admin password and require user ID codes), the Imagistics ( DL370 is especially poorly developed. Other Imagistics machines in this line use the same “scan engine” (as the manufacturers like to call them) and are probably vulnerable, but I have only tested the DL370. I heard that Imagistics stopped using this scan engine due to all the security issues, supposedly made by Minolta, for some other engine (not sure whose). I have searched the Internet and have found nothing related to this specific device, so I believe I am the first to discover and/or post this information.

Regarding the Imagistics DL370…

1. This device has three separate administrative accounts and passwords: one for the unit console, one for the web browser administrative functions, and one for telnet access. The unit console's account/password is not enabled by default; the web browser and telnet accounts/passwords are enabled by default. The default account/password for all 3 services on the machine I examined was admn/admn, but I believe the vendor changes this before install.

2. Administrative functions (such as changing device settings or setting up email addresses, FTP sites, and fax numbers) require an administrative password to be entered. Once entered, the password is stored in the URL in clear text (even after closing the browser and logging off the PC).

To see the password, log in with the admin password (or get the PC used by the administrator of the device), and then backspace over the last character in the URL (in the URL bar at the top of the browser). Scroll down. Look for the URL that says pwd= (can you imagine a Help Desk person accessing the admin console from a user's PC to look at an issue and then walking away, without realizing that they leave the admin password behind?).

3. If you save the device settings to your hard drive (under System, Preferences) and open the .bin file with Notepad, it reveals the admin password in clear text (first word in the file). Any user can do this with only user access!

4. The web browser function on this unit cannot be turned off. So #2 and #3 above are always available! laugh.gif

If you have an Imagistics Lax machine (especially the higher numbered versions), check them out and report back.