Click here to receive your FREE subscription to Campus Technology

Home > Printer Vulnerability Exposed by Indiana U Security Engineer

News

Printer Vulnerability Exposed by Indiana U Security Engineer

4/8/2008

By Dian Schaffhauser

Security engineers in the Information Technology Security Office (ITSO) at Indiana University were at a loss when a user described a network-connected multifunctional printer that was acting strangely--even printing spam e-mail messages onto paper.

While investigating the printer problem, Nate Johnson, Indiana U's lead security engineer, took a chance and tested the printer for vulnerability to a File Transfer Protocol (FTP) Bounce Attack, a method used by malicious computer hackers to relay a network scan through another device, essentially covering their tracks online.

Johnson's hunch paid off, and with the maneuver, he discovered a security risk in a widely used family of Canon printers.

ITSO provides active security analysis, development, education, and guidance related to Indiana U's information assets and IT environment.

Johnson and ITSO recently published the vulnerability, having already alerted Canon to the problem. UISO has published four disclosures in the last two years.

Johnson's test--a common tactic for security professionals hoping to find holes in network security--revealed a vulnerability in the network configuration of certain printers and other devices in the Canon imageRUNNER series. These multifunctional printers are the size of a traditional copying machine and include network access that can leave them open to misuse if not properly configured. Hackers can exploit the device's Internet connection and treat it as a proxy from which to attack other sources, while concealing their own location.

"I stumbled across the security vulnerability," said Johnson. "The customer was having a problem with a printer, and on a whim I tested it. Hopefully, now that we have published the risk, people and businesses with these devices will take another look at their inventory."

Workarounds to the vulnerability include disabling FTP printing, setting up a username and password challenge to protect FTP printing or having a Canon service technician install a firmware update. A report posted on the campus' security office site states, "Additionally, best practices suggest that access controls and network firewall policies be put into place to only allow connections from trusted machines and networks."

According to Canon, the FTP command isn't used for printing from the printer driver. It only affects those imageRUNNER machines that have the FTP print setting on.

To view the detailed alert reported by UISO, visit   https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack.

To view the alert from Canon, visit  http://www.usa.canon.com/html/security/office_security.html.


Dian Schaffhauser is a writer who covers technology and business. Send your higher education technology news to her at dian@dischaffhauser.com.

Cite this Site

Dian Schaffhauser, "Printer Vulnerability Exposed by Indiana U Security Engineer," Campus Technology, 4/8/2008, http://www.campustechnology.com/article.aspx?aid=60565

copy text (above) for proper citation



Recommended Reading
  • Gates Highlights R&D at CES08, Unveils Microsoft Touch Wall

    Microsoft's Chairman Bill Gates spent a lot of time Wednesday talking about "empowering the workers" at the Microsoft's 12th annual CEO Summit 2008 in Redmond, WA, where he gave a keynote speech. However, Gates wasn't talking about political revolutions or even pay raises for office workers before the CEO crowd. Instead, he was referring to new software technologies that can better enable collaboration, social networking and decision-making on the job.

  • Vista Vulnerability Study Puts Microsoft on Defensive

    Microsoft and some independent security researchers had the blogosphere buzzing Wednesday over a series of denunciations after one company claimed that the Vista operating system was more vulnerable to malware and other exploits than previous operating systems.

  • New Blackboard Sync Application Leverages Facebook

    Blackboard Inc. today announced Blackboard Sync, an application that allows students to receive course updates and communicate with classmates while logged on to Facebook.

  • Standards: The Sooner the Better

    Technology solutions work best when they well together. That is why the nonprofit group IMS Global Learning Consortium is developing learning tools interoperability standards for the education technology community...

  • U.K. Education Group Escalates Microsoft Complaints

    A consultancy to the U.K. government has forwarded complaints about Microsoft's licensing and interoperability practices to the European Commission (EC), according to an announcement issued by the Becta consulting group Monday.

  • University Students and Researchers Enjoy JavaOne

    The JavaOne conference, held May 6-9 in San Francisco, brought together developers from industry, education, and other markets, filling the Moscone Convention Center with a wide array of sessions and exhibits for the open source Java developer community.

Related Articles

send e-mail link to articleEmail this article

print this articlePrintable Format