User: Password:
Subscribe / Log in / New account

firewalls are not magic

firewalls are not magic

Posted Dec 1, 2011 13:52 UTC (Thu) by dlang (subscriber, #313)
In reply to: Printer vulnerabilities via firmware update by michaeljt
Parent article: Printer vulnerabilities via firmware update

putting a printer behind a firewall doesn't actually do you much good if the same protocol that you use to print can be used to do firmware updates (unless you have an application level firewall that can detect the firmware update and block it)

if you have a printer directly expose to the Internet, then you also are allowing anyone on the Internet to print anything they want in your office, using up paper and toner, wearing out the printer. That seems like a rather significant problem in and of itself :-)

firewalling also won't really help the identity theft example given (it may make it a smidge more complicated), because all that you need to do is to have the printer store the document and the second computer can retrieve the info later

(Log in to post comments)

Why a problem?

Posted Dec 1, 2011 14:54 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Why is it automatically a problem to have your printer directly exposed to the internet? There's a sort of printer called a fax machine that has longtime been intended to be globally exposed to the telephone network. Before that there was the Telex machine. The worst that someone can do is to consume the printer's currently loaded supply of paper and ink, which is annoying but not catastrophic. Further, deliberately doing so is almost certainly criminal damage and may not be very hard to trace back to the perpetrator. If he knows how to cover his tracks he's hardly likely be interested in merely wasting paper and ink.

The game changes dramatically if that is NOT the worst they can do, if they can write the device firmware via the port(s) intended to be used for writing the paper. Firmware updates should access the printer through a different port, and the printer should as shipped have that port either firewalled for local subnet access only, or (much better) turned off. SOP would then be "Firmware Update Enable" -> "On" using the front panel, before running the firmware updater, which in turn should re-set the enable state to "Off" upon successfully installing the update. Paranoia should dictate re-setting to "Off" maybe 12 hours later, even if no firmware update was sent.

It's the problem of the missing hardware write-lock switch, for the umpteenth time.

Why a problem?

Posted Dec 8, 2011 6:31 UTC (Thu) by jamesh (guest, #1159) [Link]

I haven't had to manage printers in a while, but with some of the older HP printers, the only way to send data to the print engine was via print jobs.

While the printers came with fancy network interface cards with support for almost every network printing protocol you can think of, these were essentially separate devices. The NIC could be used with a number of different models of printer, and the printer would function if you removed the NIC. Without the NIC, the only methods of input were the parallel port and the buttons on the control panel.

If you wanted to upgrade the print engine's firmware (as opposed to the NIC's firmware), it needed to be as a print job. You could submit this job via the parallel port or via the NIC -- it would look the same to the print engine.

I wouldn't be surprised if they could improve things these days where networking is integrated into the printers better, but there is probably a lot of legacy code in the printers.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds