Last modified: Tuesday, April 1, 2008
IU security engineer uncovers a commercial printer vulnerability
FOR IMMEDIATE RELEASE
April 1, 2008
BLOOMINGTON, Ind. -- Security engineers in the University Information Security Office (UISO) at Indiana University were at a loss when a client described a network-connected multifunctional printer that was acting strangely -- even printing spam e-mail messages onto paper.
While investigating the printer problem, Nate Johnson, IU lead security engineer, took a chance and tested the printer for vulnerability to an FTP Bounce Attack, a method used by malicious computer hackers to relay a network scan through another device, essentially covering their tracks online.
Johnson's hunch paid off, and with the maneuver, he discovered a security risk in a widely used family of Canon printers.
Johnson and UISO recently published the vulnerability in what is called a "responsible disclosure," having already alerted Canon to the problem without disclosing it to the public, allowing the company time to make the necessary changes before hackers gained access to the information. UISO has published four such disclosures in the last two years.
Johnson's test -- a common tactic for security professionals hoping to find holes in network security -- revealed a vulnerability in the network configuration of certain printers and other devices in the Canon imageRUNNER series. These widely used multifunctional printers are the size of a traditional copying machine, and include network access that can leave them open to misuse if not properly configured. Hackers can exploit the device's Internet connection and treat it as a proxy from which to attack other sources, all while concealing their own location.
"I stumbled across the security vulnerability," said Johnson. "The customer was having a problem with a printer, and on a whim I tested it. Hopefully now that we have published the risk, people and businesses with these devices will take another look at their inventory."
In the often murky online security environment -- in which debates rage regarding vulnerability disclosures and commercial responsibility -- Johnson was glad to abide by IU's commitment to the high road.
"I think it's the right thing to do," Johnson said of UISO efforts to alert Canon before hackers could gain access to the information, and subsequently inform the public.
As a part of its own alert, the company stated that "Canon Inc. would like to thank Nate Johnson and Indiana University for finding and reporting to Canon U.S.A., Inc. this vulnerability."
The University Information Security Office provides active security analysis, development, education, and guidance related to Indiana University's information assets and information technology environment.
Users with Canon devices affected by this vulnerability may need to contact the manufacturer to fix the problem, and Canon has made the necessary resources available to do so.
To view the detailed alert as reported by UISO, visit:
To view the alert from Canon, visit: