The call is coming from inside the house...

The call is coming from inside the house...

Friday Mar 07, 2014


Many years ago, when I worked for Lexmark, I presented to Corrections Services IT.  These are the geeks who control the tech at the prisons. Everything from phone systems to PCs.  They also handle printers, and as a government agency, they print a lot.  Add to that their constant concern over security.  During my presentation, one of the IT guys asked about printer viruses.  Turns out he had just deployed some new anti-virus software and this was top of mind.  I politely told him that printers don't get virus.  I mean, how could they right?  He pushed a little more and I indulged for a minute then said we could take it offline as we had lots of content to get to.  Turns out there wasn't time to chat after the meeting but as "luck" would have it, he was on my flight back to Calgary, sitting beside me!

Great, a nice flight home sitting beside some guy with a tinfoil hat, grilling me on printer security. This should be fun.  I assured him that printers couldn't be hacked, part of it was limitation of the device, how components in the device don't know about each other (eg: the fax card isn't actually connected in any way that someone could dial in and get onto the network), and that you also have security through obscurity.  I mean, who'd even attempt to attack a printer when you've got all sorts of PCs and servers you could have your way with.  Printers account for such a small percent of the overall technology in the office, just like the Mac has never made it past 10% market share, as such, why would you build malware/viruses for that platform when you'd get better bang for your buck on the Windows side.

Well, I guess its time to eat crow.  There was a time when maybe all of this was true, but with companies like Xerox implementing Cisco TrustSec, McAfee Secure Device, and the ability to only run digitally signed code, it seems out thinking about security and printers has changed.

Part of this new belief is that these devices are no longer dumb peripherals.  They are full fledged computers executing code, broadcasting messages to servers and users, communicating back to the mother-ship with page counts, and so on.

A few years back we all heard about the printer hack that would let you start an HP printer on file.

http://arstechnica.com/business/2011/11/hp-printers-can-be-remotely-controlled-and-set-on-fire-researchers-claim/

Well it has gotten worse...a whole lot worse.  Picture your favourite spy show, the lead character has a meeting at the company he is trying to infiltrate. On his way out he says "Oh, one last thing, could you print this map for me.  I'm new to this town and want to make sure I don't get lost".  He hands over a USB key with a document on it.  The document is printed.  He heads back to to his lair, powers up his computer, selects the room at the office that he wants to listen in on and presto.  He's activated the microphone on the phone in that office.  He's bugged every phone in the entire office, with one print job!

http://arstechnica.com/security/2014/02/how-to-turn-a-phone-into-a-covert-bugging-device-infect-the-printer/

I'm afraid to think of what is next....