Fatal flaw puts Xerox printers at risk

Xerox Corp. is scrambling to update a security patch following the disclosure of a major security flaw in its WorkCenter multifunction printers.

By taking advantage of a configuration error in the printers’ Web interface, security researcher Brendan O’Connor was able to run unauthorized software on the printers, compromise network traffic, and access sensitive information being printed on the machines. He shared details of how to compromise the printers during a presentation at the Black Hat USA conference in Las Vegas Thursday.

“Think of all the sensitive data that’s going through these,” he said. “Everybody prints and there’s an inherent trust in these types of devices.”

O’Connor said he was not trying to “pick on Xerox,” but rather using his hack as a case study to draw attention to the security threat posed by increasingly powerful embedded devices.

“I don’t think they’re getting the level of scrutiny that they require,” said O’Connor, who identified himself only as a security engineer with a U.S. financial services company.

“This is a Linux server wrapped in a copier box. These things are all over the enterprise,” he said.

Xerox issued a patch for the vulnerability in February. It affects WorkCenter and WorkCenter Pro series 200 devices sold between October 2005 and June of this year, said Armon Rahgozar, a manager with Xerox’s Solutions and Partnership Technology Office.

However, that Xerox patch does not fully address the vulnerabilities, O’Connor said. “My company is still vulnerable to these things,” he said.

Rahgozar said that Xerox was working to address the situation and would issue an updated patch.

Customers can either download the patch from the Xerox Web site or wait for service technicians to apply the patches at their next scheduled servicing.

Xerox is also developing an automatic update system for its products, similar to Microsoft Corp.’s, Rahgozar said. “We probably want to follow the model that Microsoft has learned the hard way,” he said. “You provide the push mechanism, but it’s controlled by administrators at the site.”

When Rahgozar showed up for O’Connor’s Black Hat talk, the researcher said that he was worried that Xerox might be considering legal action against him in the same way that Cisco Systems Inc. sued security researcher Michael Lynn at last year’s conference.

“When the guy said, ‘I’m from Xerox,’ I thought Mike Lynn,” O’Connor said in an interview after his presentation.

Those concerns were unfounded however. After the talk, Rahgozar thanked the researcher, saying he was doing the industry a service.

“So how much do you hate me?” O’Connor asked Rahgozar.

“Not at all,” the Xerox manager said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now