Feeds

Multifunction printer p0wnage just getting worse, researcher finds

Konica Minolta, Sharp, Dell, Canon and HP printers spew credentials when probed

Beginner's guide to SSL certificates

It is now easier than ever to hack corporate networks through multifunction printers, which can even offer up access to Active Directory accounts according to security consultant Deral Heiland.

The moustachioed Rapid 7 tech veteran said his team now gains access to corporate active directory credentials through credentials stored in the latest printers in one in every two attempts. Four years ago they had only a 10 to 15 percent success rate.

High end Konica Minolta, Sharp, Dell, Canon and HP enterprise multi function printers spewed usernames, email addresses and passwords from address books, even after some vendors released fixes. They coughed up Active Directory usernames and application data and offered hostname information.

"We're able to gain access to Active Directory environments by extracting useable credential data from multi-function printers 40 to 50 percent of the time," Heiland (@percent_x) said.

"So I walk into a company (with about 1000 staff) and they have some fairly current business/enterprise printers and 40 to 50 percent of the time we're able to get Active Directory credentials off those printers to gain elevated access

"A lot of people don't realise these high end printers can store passwords in the address books."

The Canon hack worked because encryption of passwords in the POST request could be turned off, enabling an attacker, in Heiland's words, to just "ask nicely" for the passwords.


Deral Heiland

Deral Heiland


Data extractable from the printers included usage tracking, scanned-in files and emails, and LDAP credentials.

He said an LDAP pass-back attack worked on almost all enterprise printers since most allowed remote LDAP lookups which would send attackers plain-text passwords.

During one enterprise security test Heiland said he was able to access the payroll database for its 4000 staff through a human resources printer that was not isolated.

Development of a Metasploit module designed to making popping printers even easier is a boon for penetration testers, who, Heiland said, often overlook printers as an attack vector. The module would be built on Heiland's Praeda automated harvesting tool.

The Metasploit tool would allow users to contribute their own printer pwning modules to build out this penetration testing tool.

Heiland recommends enterprises turn off automatic firmware upgrades on printers, and change default passwords. The boxes should also be isolated by departments and be cut off from internet access.

This finding is the latest from his research into breaking multifunction printers, begun in 2010. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.