Indiana U. Engineer Finds Security Flaw in Popular Internet-Connected Copy Machine
April 2, 2008, 3:45 pm
By Jeff Young
These days, it seems like just about every kind of gadget can be connected to the Internet — video game consoles, iPods, and even photocopiers (or multifunctional printers, as the manufacturers call the large machines that can copy or print from networked computers). Nate Johnson, lead security engineer for Indiana University, recently discovered a security flaw in a copy machine at the university that highlights the challenges of all of this connectivity.
Mr. Johnson discovered the security flaw while investigating a routine problem with a Canon imageRUNNER. By doing a scan of the device, he discovered that the machine, which is connected to the university’s computer network, is open to an “FTP bounce attack.” That means that a malicious hacker could attack computers in a way that would make it appear that the printer was the attacker, thereby masking the location of the actual source of the attack.
“I sort of discovered it by accident,” he said in an interview today.
The university reported the flaw to Canon, using a procedure known as “responsible disclosure” — meaning that the researchers agreed to keep the flaw a secret until the company devised a fix. The company says it can now repair the problem, and it posted an announcement on its Web site about the flaw.
Mr. Johnson said that FTP bounce attacks were common with personal computers in the 1990s, but that most PC software is now far less vulnerable to the problem. But as more and more types of gadgets come Internet-ready — though not necessarily as secure — the attack style is back, he said.
“Hell, you can get a refrigerator that connects to the Internet now,” he added.
One takeaway for college IT managers: Make sure all those new gadgets have the latest updates and security patches. —Jeffrey R. Young
Original Post