Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

Add one more device to the list of things you need to protect from hackers: The humble printer.

In two separate presentations scheduled for the Shmoocon hacking conference in Washington, D.C., next week, researchers will show how hackers can use printers to compromise a company’s computer network. One presentation will reveal how poorly secured printers can even be grouped together to act as online storage for cybercriminals.

Over the past decade, many ordinary office devices have gained surprising new functionality—nowadays, some printers can send and receive e-mails, and even browse the Web. But Deral Heiland, an independent security consultant who will give one of the presentations, says manufacturers haven’t given security nearly the attention it deserves in light of all the new features. “These devices have gone from being standard, simple printers that got on the network to the point where they are totally integrated in the business environment,” Heiland says. “And that heavy integration is what makes them a premium target.”

Heiland, who works as a “penetration tester,” or someone who attempts to hack in to a company’s network under controlled circumstances, was inspired to look for printer flaws and configuration issues.

At Shmoocon, Heiland will demonstrate a program called “Praeda” (Latin for plunder) that uses a collection of common security flaws and configurations issues—such as default passwords—to gain access to printers from outside a company’s network. Vulnerable printers can then be used to compromise the network. Once the tool gets inside the network, it can steal passwords and files, giving it even more access to servers and other devices.

Heiland says simple configuration issues often make printers vulnerable in this way. For example, many manufacturers do not force users to set a new password to access their device. That means many printers have default passwords that can easily be found in manuals posted online. In addition, printers that can be accessed via a Web browser often run insecure Web server software, allowing a knowledgeable attacker to find usernames and passwords.

“We have found out that with a lot of printers, that data is not obfuscated very well,” Heiland says. “Where it stores the username and password, we can go into the source and find a field with the information in plaintext.”

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Computing, security, cyber attacks, hack, cybercriminals, computer networks

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me
×

A Place of Inspiration

Understand the technologies that are changing business and driving the new global economy.

September 23-25, 2014
Register »