3 steps to total compromise – why Google’s 86,000 indexed printers should have your IT team jumping.
- — 06 February, 2013 11:56
There’s been bit of coverage in the technology press about Google’s “Indexing” of tens of thousands of publicly available printers connected directly to the Internet.
According to Darren Arnott, Principal Consultant with information security consultancy TrustedImpact, this means that two to three billion internet users can view the details about your printer’s configuration.
“So what, right? Well, random hackers launching “printer attacks” to use up your company’s paper and printer toner is the least of your worries”.
Arnott provided evidence that showed that important information is easily readable and can be used to access and compromise a company’s network and its systems. This means the company’s entire IT system – including its customer databases to its electronic files.
While your printer will have a lot of useless information, it also has a small amount of very important information that’s useful to someone with a little technology insight or creativity.
For example, Arnott found that anyone on the internet can see things on these printers including:
• Print job information including username and document name
• Stored documents that may have been printed or scanned and can be downloaded
• Network configuration information which may reveal internal network information such as authentication server names or other sensitive information (eg, “SNMP community strings”)
“Yes that’s right, passwords. Many of these devices are typically configured to also connect to a company’s email and file systems. It’s those connections that should be the grave concern for an organisation’s IT team.”
Those connections are typically configured using ‘administrative web management interfaces’ that need set usernames and passwords to talk back and forth to the company’s internal IT systems.
With access to this interface, on many printer models it’s a simple exercise to view these usernames and passwords. Quite often these are ‘privileged accounts’ that have full access to your internal network and IT systems. Once someone has access to your network and systems, they have access to your data.
Arnott explained the three steps to compromise;
Step 1: Choose a target from the 86,000 devices and identify usernames and passwords,
Step 2: Identify the organisation the device is connected to,
Step 3: Search for ‘VPN endpoints or webmail servers’ and use these credentials to gain a foothold into the company’s network”
“Our firm (TrustedImpact) has successfully used these types of usernames and passwords gathered from unprotected printers in technical security tests (aka Penetration Tests) to obtain elevated administrative access to a variety of company networks and sensitive data in order to help those organisations protect their systems from hackers.”
“Your IT team needs to remove those printers from direct access to the internet, or put solid passwords on them to protect from prying eyes.”
Why be worried? If only one in a hundred internet users wanted to see your data, that’s still one very large number… in fact, it’s about the same size as every man, woman and child living in Australia.
It’s inevitable that some of the data residing in your company’s systems would be worth money on the black cyber-market; such as customer credit card data or company bank account details (in fact, the list goes on). And if it’s worth money to someone, you’re guaranteed that it will motivate some percentage of that two to three billion internet population to try to gather it.
Furthermore, if you’re the custodian of your customer’s sensitive data, you need to consider the value of this data to a malicious third party and keep you organisation from becoming one of the many ‘roadkill on the information superhighway’ like major companies such as Heartland, TJX, Epsilon, Fidelity, Global Payments, or Sony (and again, the list here goes on).
The bottom line according to Arnott: “All IT ‘management interfaces’ to your network or systems should not be accessible on the internet and if they must be for business reasons, they should be adequately secured using rigorous usernames and passwords.”
Author: Darren Arnott is a Principal Consultant with TrustedImpact, a specialised information security consultancy headquartered in Australia. Follow us on twitter on @trustedimpact or visit us at www.trustedimpact.com.