While security managers find it challenging enough to maintain secure patch levels across their organisations' desktops, servers and networking gear, there's a new class of network equipment that you'll need to add to the list: high-end networked scanners, copiers, printers and multi-function devices.
These may not be the devices most targeted for attack right now, but they're likely to move up that list very soon. First, the manufacturers are increasingly moving away from proprietary operating systems and software that run these devices in favour of readily-available operating systems.
Second, there has been heightened visibility regarding the vulnerabilities associated with these devices, including a presentation at this year's Black Hat security conference. Recently, while at a customer site, we identified vulnerabilities on a networked printer that left the organisation open to attack.
Until recently, these types of devices were based on specialised software running on RISC-based processors, and few attackers had the knowledge or skills necessary to identify and exploit the vulnerabilities that would make a successful attack possible. Today, more of these devices are built on traditional Intel processors running common operating systems such as Linux, and even Apache Web server software. That's why high-end multi-function devices and printers are beginning to look amazingly similar to any other IT appliance attached to the network.
The result is that they're now vulnerable to the same types of attacks as standard desktops and servers, and can be used as a potential jump-point to other devices and systems, to even monitor data traveling across the network, or be used to launch DoS attacks. And the data actually residing on these devices can be critical, even regulated. More and more of these devices are coming equipped with hard disks, and everything copied can be cached.
Unauthorised access to photocopied or scanned information would be troubling to any organisation, as it could place product, sales, marketing and other forms of proprietary information at risk. But the risks are especially worrisome for any type of regulated business where financial information is regularly copied, as is HIPAA-related information at health care and insurance providers.
We don't want to overstate the danger, but the risks to proprietary information can be significant. The primary risk arises from insiders who would generally have the greatest networked access to these devices - on a properly configured and segmented network. However, it's been our experience that many companies don't pay adequate attention to the access control policies associated with these devices.
If remote attackers do manage their way onto a networked printer, they can then map segments of, or possibly even your entire network. Then (in the vast majority of cases today) they can use their presence on a completely unmonitored printer to sniff all network traffic, including usernames and passwords, and wait for vulnerabilities or other opportunities to escalate their network access.
Thus, while few companies monitor these devices today, it's crucial that they start. They need patch levels to be adequately maintained - which today, unfortunately, may require an engineer to be dispatched to deploy the patch manually. In addition, one of the best defenses is to incorporate the management of these devices in your security policy and ensure that close attention is paid to the firewall and network access controls of these devices - just as if they were any other networked workstation or server.
Amol Sarwate is director of Qualys' vulnerability research lab. <
Hot or not: Network embedded device security threats
By Amol Sarwate, on Dec 5, 2006 9:00AM