Are Multi-Function Printers a Security Risk?

TheMSsForum.com: The Microsoft Software Forum

Some of my users work as veteranâ??s advocates within Veterans Administration
offices across the country. As such they are guests on the VA's network
subject to there rules and guidelines. Recently I was informed that they are
not allowed to use Multi-Function Printers due to a security risk. They are
saying that someone can dial into the MFP Fax, access the attached PC through
the printer interface and thus gain access to the network. This sounds a bit
far fetched to me. Is this a real possibility?
Top

Re: Are Multi-Function Printers a Security Risk? by Phillip

Phillip
Tue Mar 22 10:49:43 CST 2005

Sound far fetched and sounds like just paranoia.

PCs don't present shared resources to Printer/Faxs.

If what they claim is true then it would happen if the building was totally
empty of people just simply because the PC and the Printer were turned on.
So it would not have anything to do with someone "using it".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"Stan G." <Stan G.@discussions.microsoft.com> wrote in message
news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
> Some of my users work as veteran's advocates within Veterans
Administration
> offices across the country. As such they are guests on the VA's network
> subject to there rules and guidelines. Recently I was informed that they
are
> not allowed to use Multi-Function Printers due to a security risk. They
are
> saying that someone can dial into the MFP Fax, access the attached PC
through
> the printer interface and thus gain access to the network. This sounds a
bit
> far fetched to me. Is this a real possibility?
>
>


Top

Re: Are Multi-Function Printers a Security Risk? by Matt

Matt
Tue Mar 22 12:45:45 CST 2005

I agree. However, fully networked printers that are exposed to the internet
(not too common, I agree), CAN be exploited and pose a large security risk.

Matt Gibson - GSEC

"Phillip Windell" <@.> wrote in message
news:%23Y39m8vLFHA.436@TK2MSFTNGP09.phx.gbl...
> Sound far fetched and sounds like just paranoia.
>
> PCs don't present shared resources to Printer/Faxs.
>
> If what they claim is true then it would happen if the building was
> totally
> empty of people just simply because the PC and the Printer were turned on.
> So it would not have anything to do with someone "using it".
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "Stan G." <Stan G.@discussions.microsoft.com> wrote in message
> news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
>> Some of my users work as veteran's advocates within Veterans
> Administration
>> offices across the country. As such they are guests on the VA's network
>> subject to there rules and guidelines. Recently I was informed that they
> are
>> not allowed to use Multi-Function Printers due to a security risk. They
> are
>> saying that someone can dial into the MFP Fax, access the attached PC
> through
>> the printer interface and thus gain access to the network. This sounds a
> bit
>> far fetched to me. Is this a real possibility?
>>
>>
>
>


Top

RE: Are Multi-Function Printers a Security Risk? by StanG

StanG
Tue Mar 22 13:23:03 CST 2005

I think the real issue here is weather or not the Fax interface can be dialed
up and hacked so that it can be used like a modem to access the PC and
network.

"Stan G." wrote:

> Some of my users work as veteranâ??s advocates within Veterans Administration
> offices across the country. As such they are guests on the VA's network
> subject to there rules and guidelines. Recently I was informed that they are
> not allowed to use Multi-Function Printers due to a security risk. They are
> saying that someone can dial into the MFP Fax, access the attached PC through
> the printer interface and thus gain access to the network. This sounds a bit
> far fetched to me. Is this a real possibility?
>
>
Top

Re: Are Multi-Function Printers a Security Risk? by Matt

Matt
Tue Mar 22 13:57:42 CST 2005

That would depend on the exact model of printer, but I've never heard of
such a vulnerbility.

Matt Gibson - GSEC

"Stan G." <StanG@discussions.microsoft.com> wrote in message
news:BE8F46EB-1539-4932-98A8-ECBBA119161A@microsoft.com...
>I think the real issue here is weather or not the Fax interface can be
>dialed
> up and hacked so that it can be used like a modem to access the PC and
> network.
>
> "Stan G." wrote:
>
>> Some of my users work as veteran's advocates within Veterans
>> Administration
>> offices across the country. As such they are guests on the VA's network
>> subject to there rules and guidelines. Recently I was informed that they
>> are
>> not allowed to use Multi-Function Printers due to a security risk. They
>> are
>> saying that someone can dial into the MFP Fax, access the attached PC
>> through
>> the printer interface and thus gain access to the network. This sounds a
>> bit
>> far fetched to me. Is this a real possibility?
>>
>>


Top

Re: Are Multi-Function Printers a Security Risk? by Alun

Alun
Tue Mar 22 10:18:01 CST 2005

It sounds far-fetched, but remotely plausible. Surely along with this
recommendation comes some links to documentation of the presence of the
threat?

In a well-designed MFP, the fax software and the networking software would
be well-segmented. In a poorly-designed MFP, an overflow in the fax
software might allow intruding code access to the network.

However, the consideration then is: what is it suggested that you replace
the MFP with?

A physically separate fax system, unplugged from the network, would be
safer - but a separate fax machine is more expensive, because you're
essentially buying a printer and a scanner that are only ever used for
faxes, and if you have other printing and scanning requirements, you would
then need to buy another printer and scanner.

Replacing an MFP with a PC that receives faxes over a modem card, and scans
/ prints via attached peripherals, isn't going to be any better off, from a
security standpoint, than the MFP. The only advantage of a PC running your
fax solution would be that you could leave it unplugged from the network,
and transfer data to and from it via physical media (floppies, or other
removable storage). I am not aware of any MFPs that have physical media
inputs.

Finally, of course, there's the issue that, as you point out, you are guests
on their network - they get to state the rules. You may be allowed or
encouraged to question the rules, but you have to live by them. If you're
found disobeying the rules (however ill-conceived you may feel they are),
you will probably find yourselves disconnected, so you should probably ask
the VA what it is that they accept as a secure alternative.

Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.

"Stan G." <Stan G.@discussions.microsoft.com> wrote in message
news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
> Some of my users work as veteran's advocates within Veterans
> Administration
> offices across the country. As such they are guests on the VA's network
> subject to there rules and guidelines. Recently I was informed that they
> are
> not allowed to use Multi-Function Printers due to a security risk. They
> are
> saying that someone can dial into the MFP Fax, access the attached PC
> through
> the printer interface and thus gain access to the network. This sounds a
> bit
> far fetched to me. Is this a real possibility?
>
>


Top

Re: Are Multi-Function Printers a Security Risk? by Phillip

Phillip
Tue Mar 22 15:39:06 CST 2005

Personally,..I think it is "Twilight-Zone" stuff,...just between you and me.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Matt Gibson" <mattg@blueedgetech.ca> wrote in message
news:ezbjnlxLFHA.3064@TK2MSFTNGP12.phx.gbl...
> That would depend on the exact model of printer, but I've never heard of
> such a vulnerbility.
>
> Matt Gibson - GSEC
>
> "Stan G." <StanG@discussions.microsoft.com> wrote in message
> news:BE8F46EB-1539-4932-98A8-ECBBA119161A@microsoft.com...
> >I think the real issue here is weather or not the Fax interface can be
> >dialed
> > up and hacked so that it can be used like a modem to access the PC and
> > network.
> >
> > "Stan G." wrote:
> >
> >> Some of my users work as veteran's advocates within Veterans
> >> Administration
> >> offices across the country. As such they are guests on the VA's network
> >> subject to there rules and guidelines. Recently I was informed that
they
> >> are
> >> not allowed to use Multi-Function Printers due to a security risk. They
> >> are
> >> saying that someone can dial into the MFP Fax, access the attached PC
> >> through
> >> the printer interface and thus gain access to the network. This sounds
a
> >> bit
> >> far fetched to me. Is this a real possibility?
> >>
> >>
>
>


Top

Re: Are Multi-Function Printers a Security Risk? by Matt

Matt
Tue Mar 22 18:16:45 CST 2005

Agreed ;)

Matt Gibson - GSEC


"Phillip Windell" <@.> wrote in message
news:O%23dJUeyLFHA.688@TK2MSFTNGP10.phx.gbl...
> Personally,..I think it is "Twilight-Zone" stuff,...just between you and
> me.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
> news:ezbjnlxLFHA.3064@TK2MSFTNGP12.phx.gbl...
>> That would depend on the exact model of printer, but I've never heard of
>> such a vulnerbility.
>>
>> Matt Gibson - GSEC
>>
>> "Stan G." <StanG@discussions.microsoft.com> wrote in message
>> news:BE8F46EB-1539-4932-98A8-ECBBA119161A@microsoft.com...
>> >I think the real issue here is weather or not the Fax interface can be
>> >dialed
>> > up and hacked so that it can be used like a modem to access the PC and
>> > network.
>> >
>> > "Stan G." wrote:
>> >
>> >> Some of my users work as veteran's advocates within Veterans
>> >> Administration
>> >> offices across the country. As such they are guests on the VA's
>> >> network
>> >> subject to there rules and guidelines. Recently I was informed that
> they
>> >> are
>> >> not allowed to use Multi-Function Printers due to a security risk.
>> >> They
>> >> are
>> >> saying that someone can dial into the MFP Fax, access the attached PC
>> >> through
>> >> the printer interface and thus gain access to the network. This sounds
> a
>> >> bit
>> >> far fetched to me. Is this a real possibility?
>> >>
>> >>
>>
>>
>
>


Top

Re: Are Multi-Function Printers a Security Risk? by BAR

BAR
Wed Mar 23 07:35:04 CST 2005

The Multi-Function devices do not have enough 'intelligence' to accomodate a
dial-up network.

The software is written to support fax protocol.

"Alun Jones [MSFT]" wrote:

> It sounds far-fetched, but remotely plausible. Surely along with this
> recommendation comes some links to documentation of the presence of the
> threat?
>
> In a well-designed MFP, the fax software and the networking software would
> be well-segmented. In a poorly-designed MFP, an overflow in the fax
> software might allow intruding code access to the network.
>
> However, the consideration then is: what is it suggested that you replace
> the MFP with?
>
> A physically separate fax system, unplugged from the network, would be
> safer - but a separate fax machine is more expensive, because you're
> essentially buying a printer and a scanner that are only ever used for
> faxes, and if you have other printing and scanning requirements, you would
> then need to buy another printer and scanner.
>
> Replacing an MFP with a PC that receives faxes over a modem card, and scans
> / prints via attached peripherals, isn't going to be any better off, from a
> security standpoint, than the MFP. The only advantage of a PC running your
> fax solution would be that you could leave it unplugged from the network,
> and transfer data to and from it via physical media (floppies, or other
> removable storage). I am not aware of any MFPs that have physical media
> inputs.
>
> Finally, of course, there's the issue that, as you point out, you are guests
> on their network - they get to state the rules. You may be allowed or
> encouraged to question the rules, but you have to live by them. If you're
> found disobeying the rules (however ill-conceived you may feel they are),
> you will probably find yourselves disconnected, so you should probably ask
> the VA what it is that they accept as a secure alternative.
>
> Alun.
> ~~~~
> --
> Software Design Engineer, Internet Information Server (FTP)
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Stan G." <Stan G.@discussions.microsoft.com> wrote in message
> news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
> > Some of my users work as veteran's advocates within Veterans
> > Administration
> > offices across the country. As such they are guests on the VA's network
> > subject to there rules and guidelines. Recently I was informed that they
> > are
> > not allowed to use Multi-Function Printers due to a security risk. They
> > are
> > saying that someone can dial into the MFP Fax, access the attached PC
> > through
> > the printer interface and thus gain access to the network. This sounds a
> > bit
> > far fetched to me. Is this a real possibility?
> >
> >
>
>
>
Top

Re: Are Multi-Function Printers a Security Risk? by Stan

Stan
Wed Mar 23 09:27:05 CST 2005

The only refrence I've been given is a policy letter from 1999-2000 dealing
with the removal of Fax Modems from PC. I plan on challenging there ruling
but need to "git my ducks in a row" before proceeding.

"Alun Jones [MSFT]" wrote:

> It sounds far-fetched, but remotely plausible. Surely along with this
> recommendation comes some links to documentation of the presence of the
> threat?
>
> In a well-designed MFP, the fax software and the networking software would
> be well-segmented. In a poorly-designed MFP, an overflow in the fax
> software might allow intruding code access to the network.
>
> However, the consideration then is: what is it suggested that you replace
> the MFP with?
>
> A physically separate fax system, unplugged from the network, would be
> safer - but a separate fax machine is more expensive, because you're
> essentially buying a printer and a scanner that are only ever used for
> faxes, and if you have other printing and scanning requirements, you would
> then need to buy another printer and scanner.
>
> Replacing an MFP with a PC that receives faxes over a modem card, and scans
> / prints via attached peripherals, isn't going to be any better off, from a
> security standpoint, than the MFP. The only advantage of a PC running your
> fax solution would be that you could leave it unplugged from the network,
> and transfer data to and from it via physical media (floppies, or other
> removable storage). I am not aware of any MFPs that have physical media
> inputs.
>
> Finally, of course, there's the issue that, as you point out, you are guests
> on their network - they get to state the rules. You may be allowed or
> encouraged to question the rules, but you have to live by them. If you're
> found disobeying the rules (however ill-conceived you may feel they are),
> you will probably find yourselves disconnected, so you should probably ask
> the VA what it is that they accept as a secure alternative.
>
> Alun.
> ~~~~
> --
> Software Design Engineer, Internet Information Server (FTP)
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Stan G." <Stan G.@discussions.microsoft.com> wrote in message
> news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
> > Some of my users work as veteran's advocates within Veterans
> > Administration
> > offices across the country. As such they are guests on the VA's network
> > subject to there rules and guidelines. Recently I was informed that they
> > are
> > not allowed to use Multi-Function Printers due to a security risk. They
> > are
> > saying that someone can dial into the MFP Fax, access the attached PC
> > through
> > the printer interface and thus gain access to the network. This sounds a
> > bit
> > far fetched to me. Is this a real possibility?
> >
> >
>
>
>
Top

Re: Are Multi-Function Printers a Security Risk? by Phillip

Phillip
Wed Mar 23 11:14:44 CST 2005

I hate to say it,..but you may be wasting your time. People operating on
paranoia and "fables" rarely listen to reason and logic.

Just use separate FAX machines and printers instead of combination devices
and forget it. If the FAX part of these combination devices isn't used,
then just don't plug a phone line into them.

There are more important things to "rock the boat" on than stupid FAX
machines.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Stan G." <Stan G.@discussions.microsoft.com> wrote in message
news:BB057753-89E3-470B-912F-F4B291B64097@microsoft.com...
> The only refrence I've been given is a policy letter from 1999-2000
dealing
> with the removal of Fax Modems from PC. I plan on challenging there
ruling
> but need to "git my ducks in a row" before proceeding.
>
> "Alun Jones [MSFT]" wrote:
>
> > It sounds far-fetched, but remotely plausible. Surely along with this
> > recommendation comes some links to documentation of the presence of the
> > threat?
> >
> > In a well-designed MFP, the fax software and the networking software
would
> > be well-segmented. In a poorly-designed MFP, an overflow in the fax
> > software might allow intruding code access to the network.
> >
> > However, the consideration then is: what is it suggested that you
replace
> > the MFP with?
> >
> > A physically separate fax system, unplugged from the network, would be
> > safer - but a separate fax machine is more expensive, because you're
> > essentially buying a printer and a scanner that are only ever used for
> > faxes, and if you have other printing and scanning requirements, you
would
> > then need to buy another printer and scanner.
> >
> > Replacing an MFP with a PC that receives faxes over a modem card, and
scans
> > / prints via attached peripherals, isn't going to be any better off,
from a
> > security standpoint, than the MFP. The only advantage of a PC running
your
> > fax solution would be that you could leave it unplugged from the
network,
> > and transfer data to and from it via physical media (floppies, or other
> > removable storage). I am not aware of any MFPs that have physical media
> > inputs.
> >
> > Finally, of course, there's the issue that, as you point out, you are
guests
> > on their network - they get to state the rules. You may be allowed or
> > encouraged to question the rules, but you have to live by them. If
you're
> > found disobeying the rules (however ill-conceived you may feel they
are),
> > you will probably find yourselves disconnected, so you should probably
ask
> > the VA what it is that they accept as a secure alternative.
> >
> > Alun.
> > ~~~~
> > --
> > Software Design Engineer, Internet Information Server (FTP)
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> > "Stan G." <Stan G.@discussions.microsoft.com> wrote in message
> > news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
> > > Some of my users work as veteran's advocates within Veterans
> > > Administration
> > > offices across the country. As such they are guests on the VA's
network
> > > subject to there rules and guidelines. Recently I was informed that
they
> > > are
> > > not allowed to use Multi-Function Printers due to a security risk.
They
> > > are
> > > saying that someone can dial into the MFP Fax, access the attached PC
> > > through
> > > the printer interface and thus gain access to the network. This sounds
a
> > > bit
> > > far fetched to me. Is this a real possibility?
> > >
> > >
> >
> >
> >


Top

Re: Are Multi-Function Printers a Security Risk? by Roland

Roland
Wed Mar 23 16:36:19 CST 2005

"Stan G." wrote in message
news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
: Some of my users work as veteran's advocates within Veterans
Administration
: offices across the country. As such they are guests on the VA's network
: subject to there rules and guidelines. Recently I was informed that they
are
: not allowed to use Multi-Function Printers due to a security risk. They
are
: saying that someone can dial into the MFP Fax, access the attached PC
through
: the printer interface and thus gain access to the network. This sounds a
bit
: far fetched to me. Is this a real possibility?

I would have one of two responses if told that by someone:

Positive:
I'm interesting in learning more of how that is done so I can better protect
myself and so I could inform others of this issue. Can you show me how that
is done or point me to an article with a proof of concept?

Negative:
Muwaaahahahahaha!

Let's see what's out there...
http://www.okidata.com/mkt/html/nf/FAXMFPSecurityFeatures.html
http://h30046.www3.hp.com/casestudy.php?topiccode=20040331_45555_0_121_0_0&pagesite=IPGSECURE_OOV
http://health-care-it.advanceweb.com/Common/editorial/editorial.aspx?CC=5547

In all that I see, the security is for protecting data or connectivity
information stored in the device. This should be true with any device, and
not restricted to just MFP Faxing. However, nothing suggests an attacker
can access a system via an incoming fax line.

I am also not aware of businesses using MFP's for incoming faxes. There are
security implications there but for resources being depleted which could
result in a DoS. Why anyone would leave a fingerprint like that is beyond
me. It's easier to get all the info you want from the employees who are so
eager to tell anyone how much they know.

But, it might be possible if the MFP could reveal settings and those
settings be used with another point of entry. Also, if the MFP was sold and
information was not wiped clean, then there is a potential for information
getting out. But, that's why passwords are supposed to be unique and why
devices should not have full access to the network. If JoeBlowMFP can only
logon from SuperDuperMFP, then having that account information is pretty
much useless.

--
Roland Hall
- Security is like protective clothing - It works best in layers -

/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/


Top

Re: Are Multi-Function Printers a Security Risk? by Ezra

Ezra
Fri Mar 25 09:07:34 CST 2005

A policy for removing fax modems from PCs is a far cry from calling a
MFP a security risk. Fax modems are a huge security hole, but only
because they allow a PC to bypass the corporate gateway. For example,
there have been many cases of people installing remote control
software on their work PC so they can dial in from home.

But the risk here is that the modem is on a PC. I don't know of any
published vulnerabilities concerning fax machines.

-Ezra Herman

On Wed, 23 Mar 2005 07:27:05 -0800, "Stan G." <Stan
G.@discussions.microsoft.com> wrote:

>The only refrence I've been given is a policy letter from 1999-2000 dealing
>with the removal of Fax Modems from PC. I plan on challenging there ruling
>but need to "git my ducks in a row" before proceeding.
>
>"Alun Jones [MSFT]" wrote:
>
>> It sounds far-fetched, but remotely plausible. Surely along with this
>> recommendation comes some links to documentation of the presence of the
>> threat?
>>
>> In a well-designed MFP, the fax software and the networking software would
>> be well-segmented. In a poorly-designed MFP, an overflow in the fax
>> software might allow intruding code access to the network.
>>
>> However, the consideration then is: what is it suggested that you replace
>> the MFP with?
>>
>> A physically separate fax system, unplugged from the network, would be
>> safer - but a separate fax machine is more expensive, because you're
>> essentially buying a printer and a scanner that are only ever used for
>> faxes, and if you have other printing and scanning requirements, you would
>> then need to buy another printer and scanner.
>>
>> Replacing an MFP with a PC that receives faxes over a modem card, and scans
>> / prints via attached peripherals, isn't going to be any better off, from a
>> security standpoint, than the MFP. The only advantage of a PC running your
>> fax solution would be that you could leave it unplugged from the network,
>> and transfer data to and from it via physical media (floppies, or other
>> removable storage). I am not aware of any MFPs that have physical media
>> inputs.
>>
>> Finally, of course, there's the issue that, as you point out, you are guests
>> on their network - they get to state the rules. You may be allowed or
>> encouraged to question the rules, but you have to live by them. If you're
>> found disobeying the rules (however ill-conceived you may feel they are),
>> you will probably find yourselves disconnected, so you should probably ask
>> the VA what it is that they accept as a secure alternative.
>>
>> Alun.
>> ~~~~
>> --
>> Software Design Engineer, Internet Information Server (FTP)
>> This posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Stan G." <Stan G.@discussions.microsoft.com> wrote in message
>> news:F2228105-8D00-4120-B17E-01A20677E647@microsoft.com...
>> > Some of my users work as veteran's advocates within Veterans
>> > Administration
>> > offices across the country. As such they are guests on the VA's network
>> > subject to there rules and guidelines. Recently I was informed that they
>> > are
>> > not allowed to use Multi-Function Printers due to a security risk. They
>> > are
>> > saying that someone can dial into the MFP Fax, access the attached PC
>> > through
>> > the printer interface and thus gain access to the network. This sounds a
>> > bit
>> > far fetched to me. Is this a real possibility?
>> >
>> >
>>
>>
>>

Top