Vulnerability per Role
Yellow Criag W. , Cyan Fujitani, Salmon Ron Nevo
Style Guide?
By vulnerability level
00: policy making that affects configuration or usage
10: configuration issues that affects usage
20-25:Usage vulnerability family by role
Generic: 0
Specific: 1 printer
2 scanner
3 fax
4 copier
5 managed device
6 networked device
00.00 Policy (Meta-Meta Usage) Level Vulnerabilities
00.00.01 Unauthorized/Unannounced architectural changes
00.00.02 Unauthorized/Unannounced alteration of access policy
00.00.03 Use of management application to create backdoor to steal identity information
00.00.04 Lack of multiple roles of management specific to the needs of a ―key operator‖ versus network
administrator versus service personnel
00.00.05 Maliciously set policies/architectures that allow configuration and usage vulnerabilities
00.00.06 On a device with a general purpose embedded OS such as Linux, there may be many capabilities
available to a hacker that successfully compromises the internal web server.
00.01.07 If the management interface allows sending print jobs, then the management interface can be used as a
potential entry point for Print device exploits.
00.05.05 Hacking the internal web server (Since the internal web server may exist solely for use as a
management interface, any compromise of the internal web server may be viewed as a Managed Device
vulnerability.)
10.00 Configuration (Meta Usage) Level Vulnerabilities
10.00.01 Unauthorized alteration of access settings
10.00.02 Add unsupported hardware on an existing physical interface (in case of operating system supporting
plug and play feature) physical security
10.00.03 Dual capability modem chip set (fax/data) could be used to send fax data out via the phone lines to a computer, etc. via the
data capabilities of the modem
10.05.01 Use of logs of a managed device to obtain network information which may be used in an attack on the IT
systems
10.05.02 Unauthorized deletion of log(s)
10.05.02 Unprotected or misused service personnel access ports are used to change configuration or obtain other
information
10.05.03 Unauthorized firmware updates
10.05.04 Unlocked operator panel
10.05.05 SNMPv1 with ―public‖ community name,
10.05.06 SNMPv2 do not include security even passwords are clear text and other clear text vulnerability,
10.05.07 SNMPv3 will include security and session protocols
10.05.08 Unalterable SNMP community names
10.05.09 Obtain unauthorized access to the management interface The management interface is not protected,
e.g. factory default is no password or is a published password, or is unaltered
10.05.10 Spoof the management interface to allow stealing login credentials.
10.05.11 Social engineering.
10.05.12 Network sniffing to obtain login credentials, especially for protocols where credentials are sent
unencrypted such as TFTP, Telnet, and HTTP.
10.05.13 Inappropriate configuration and setup…..
10.05.14 Obtain network information such as DHCP, WINS, SMTP server addresses.
10.05.15 Obtain personal information such as email addresses, contact information, stored print job information.
10.05.16 Obtain device usage/accounting information.
10.05.17 BOOTP/DHCP Server spoofing
10.05.18 Unauthorized firmware updates for security management
10.05.19 Unlocked Operator Panel
10.05.20 Guessing of password because of failure by the device to require robust passwords
10.05.21 Intercept or otherwise infer information facilitate social engineering attacks.
10.05.22 Spoof the management interface to allow stealing login credentials.
10.05.23 Using the management interface (ie login as administrator) to intercept or otherwise obtain the (eg from
the mailbox file on the hard disk) private stored print/scan/fax/copy jobs.
10.06.01 Bridging fax/data modem to Ethernet
10.06.02 Remote access phone line e.g. for services or accounting bridges to Ethernet.
10.06.03 Bridging two separate networks together using two network adaptors (eg one secure one insecure
network)
10.06.04 Unnecessary services of a general purpose OS (eg Linux) are started automatically and provide
potential entry points to the system
10.06.05 Enabling infection by viruses or Trojan horses by running an embedded version of a popular operating
system susceptible to attacks.
10.06.06 Enabling similar infection by use of FTP/HTTP/etc to load an executable virus or executable (eg change
RIP) file.
10.06.07 Enabling infection by sending of a PostScript or PJL job that generates a virus.
10.06.08 Enabling infection by using downloads of modified firmware (printer, network interface, scanner).
10.06.09 Enabling infection by using download executable code.
10.06.10 Theft of the device‘s identification (e.g. spoofing) by changing DNS server to point printer name to
another device that will capture the data.
10.06.11 Spoofing by masquerading as the hardcopy device and capturing all the jobs or sending network traffic
as if the hardcopy device.
10.06.12 Telnet access into a device which has operating system functions that support unintended operations.
The user now has the access rights of the device which are most likely higher than his normal rights.
10.06.13 Setup an FTP session in passive mode to gain access to a passive FTP port. This port can then be
used as a "proxy" to gain access to other devices with the access rights of the printer.
10.06.14 Using unblocked ports, protocols, and interfaces as a backdoor into the device through
o TFTP (for firmware upload)
o email (for firmware upload)
o Operator panel
o Telnet
o Via browser to internal web server
o Debug/Diagnostic/protocol
o Proprietary application
o SNMP
20.0 Denial of Service on the MFP
20.00. 01 Unauthorized access to or alteration of a transaction log
20.00.02 Disabling or damaging biometric/card reader id device
20.00.03 Unplug or damage power cord into the device)
20.00.04 Physical injection of noise (ESD/induction)
20.00.05 Removal of user replaceable supplies (toner, paper etc.)
20.00.06 Unauthorized firmware update that always reports device malfunction
20.00.07 Electrically shorting phone lines to AC voltage lines.
20.00.08 Interfering/damaging the paper rolls so that they produce bad images, or mechanically malfunction
20.00.09 Otherwise mechanically/electronically interfere with the device, or its components
20.00.10 Interfere with the light sources, through the power supply
20.00.11 Take device offline with control panel or remote management applications
20.00.12 Modify device connection/connectivity settings (like IP address change, protocols enable/disable,
network services start/stop, interfaces)
20.00.13 Reset device settings to factory default through control panel or remote management applications
20.00.14 Looping execution occurring on other roles denying the services of a given role
20.00.14 Certain (as yet undetermined) PCL—and other datastream—vulnerabilities [similar in concept to
PostScript looping]
20.00.14 Flooding attacks on one or more open ports, including non-network (e.g., IRDA)
20.00.14 Intercept or otherwise obtain notification data that includes confidential information
20.00.15 Electromagnetic ―sniffing‖ of laser head, phone line, or other EM emissions
20.01 Denial of Service of Printer
20.01.02 ??? TBD: PCL and other datastream vulnerabilities similar to the above
20.01.03 Postscript Job with destructive operations (fonts removal/modification, files removal/modification,…)
20.01.04 Submit unsupported graphical format on the printer causes printer to lockup or otherwise fail
20.01.05 Unauthorized RIP firmware update
20.01.06 Crash network services by sending crafted packets
20.01.07 Temporary stops printer by network flooding attacks on one or more open ports including non-network
(IRDA, etc)
20.02 Denial of Service on the Scanner
20.02.01 Disable Scan service from operator panel (or put offline)
20.02.02 Disable Scan service from work flow, by making the application send unauthorized commands to the
scanner as a reaction on scanned elements
Eg manipulate metadata such as barcode
20.02.03 Denial of workflow services by degrading quality, performance of Scanner.
20.02.04 Scan solid black pages to exhaust toner or damage mechanism.
20.02.05 Changing Scanner configuration to work only in lowest resolution, or lowest speed, or partial view, or
simplex mode.
20.02.06 Alteration of mechanical/optical/electronic components to degrade quality of scan results to a level
unacceptable for meeting policy/legal requirements as ‗original document‘
20.02.07 Cause unrecoverable ―double feed‖ error either through firmware, or electromechanical means.
20.02.08 Unauthorized settings of scanning parameters (e.g. for color balancing, brightness correction, boarder
recognition) resulting in unusable scans, or in permanent error conditions.
20.03 Denial of Service on the Fax Mode
20.03.01 Set modem configuration from (via op-panel, web page, or otherwise) to always negotiate to very lowest
bit rate (2400bps).
20.03.02 Disable FAX service from operator panel (or put offline)
20.03.03 Dial into FAX Modem with malicious Sender that never completes Fax training sequence (continuous
squeal tones)
20.03.04 Send solid black pages to exhaust toner or damage mechanism
20.03.05 Send full-page grayscale pages from Sender with lowest bit rate (2400bps).
20.03.06 Unauthorized firmware update that always reports Fax destination number as busy
20.03.07 Insertion of telephone in the loop that is always off the hook.
20.03.08 Changing the country settings of the Fax modem.
20.03.09 Changing Fax configuration to send/receive only in highest resolution.
20.04 Denial of Service on the Copier
20.04.01 Disable Copier service from operator panel (or put offline)
20.04.02 Interrupt copy job and never re-prioritize it (interrupting job never releases its possession of the print or
scan engine)
20.04.03 Denial of workflow services by degrading quality, performance of Copier
20.04.04 Remove of user replaceable supplies (toner, paper etc.)
20.04.05 Copier solid black pages to exhaust toner or damage mechanism.
20.04.06 Unauthorized firmware update that always reports Copier malfunction
20.04.07 Electrically shorting cables connecting option units.
20.04.08 Changing Copier configuration to work only in lowest resolution, or lowest speed, or partial view, or
simplex mode.
20.04.09 Alteration of mechanical/optical/electronic components to degrade quality of copier results to a level
unacceptable for meeting policy/legal requirements as ‗original document‘
20.04.10 Cause unrecoverable ―double feed‖ error either through firmware, or electromechanical means.
20.04.11 Interfering/damaging the paper rolls so that they produce bad images, or mechanically malfunction
20.04.12 Otherwise mechanically/electronically interfere with the device, or its components
20.04.13 Interfere with the light sources, through the power supply
20.04.14 Unauthorized settings of copier parameters (e.g. for color balancing, brightness correction, boarder
recognition) resulting in unusable copiers, or in permanent error conditions.
20.04.15 Disable watermark function
20.05 Denial of service by Managed Device
If an unauthorized user has access to the management interface, there are a huge number of settings
which may be changed that would disable or disrupt service. It does not seem advantageous to have a
comprehensive list. Here are a few examples:
20.05.01 Disabling ports and/or protocols.
20.05.01 Flash update attacks, such as flashing with a corrupted file, or starting a flash memory update cycle
without ever finishing.
20.05.02 Change language or lock front panel (will disrupt or prevent usage at the console)
20.05.03 Change settings to cause print or scan job errors, e.g. memory settings, page description language
settings, timeouts, etc.
20.05.04 Change settings to create additional and unnecessary work, e.g. changing the default copy count to 999.
20.05.05 Reset the device to its factory default settings.
20.05.06 Change the management interface access credentials so the administrator can no longer access the
management interface.
20.05.07 Change print restrictions so users/groups are denied access.
20.05.08 Delete stored print jobs.
20.06 Denial of Service by a Networked Device
20.06.01 Change another IP address to be the same as the IP address of the hardcopy device on the network.
20.06.02 Replace a Cat5 cable with a Cat3 in the wiring closet.
20.06.03 Generate a packet flood (eg ping, SNMP/telnet or other protocol) to the printer.
20.06.04 Use SNMP, Telnet or other protocol to disable the device.
20.06.05 Download modified firmware that disables the device.
20.06.06 Open all available TCP connections and keep them active.
21.0 As an agent for a Denial of Service on downstream workflow functions or devices
21.00.01 Unauthorized firmware update that never completes negotiation with remote workstation or archival
storage.
21.00.02 Sending huge documents or excessive copies of document over and over to one or more destination
workstations or archival storage (either manually or with an automated script).
21.02.03 Unauthorized firmware that sends destructive commands downstream the work flow based on events
associated with or caused by the interpretation of scanned information
21.03.01 Unauthorized firmware update that never completes negotiation with remote fax machine.
21.03.02 Setting of Fax send speed (via op-panel, web page, or otherwise) to lowest bit rate (2400bps)
21.03.03 Changing of Fax shortcut phone numbers (wrong fax machine or to voice phone number
21.04.01 Force errors in the print engine or scan engine during copy to prevent that engine from being used by
others
21.05.01 Setting a very short interval on a network operation (e.g. service discovery broadcasts or large numbers
of email notifications, or event notifications)
21.06.01 packet flooding
21.06.02 Loading of a rogue application (e.g. Java) to flood the network with traffic
21.06.03 The hardcopy device is set to the IP address of a device to cause perpetual network errors
21.06.04 Use FTP to load firmware file to generate a packet flood.
21.06.05 Send a PostScript, PJL or other job that generates a flood of backchannel messages.
21.06.06 Send an IPP job that generates a flood of email notifications.
21.06.07 Mis-configured hardcopy device has an open mail relay which allows routing many email messages
through the printer.
22.0 Unauthorized access to device data (on network, on hard disk/persistent memory, on paper.)
22.00.01 Theft, removal, or swapping of hard disk in the device
22.00.02 Rogue imbedded firmware applet within the device that prints or otherwise forwards scanned information
to an unauthorized e-mail address or another fax phone number. (Unauthorized update firmware)
22.00.03 Take output from output hopper of device after hours.
22.00.04 Take input from input hopper
22.00.05 Unauthorized changes in backgrounds, colors and other image processing parameters
22.00.06 Unauthorized altering of the destination address
22.00.07 Phone line sniffer installed outside building or in wiring closet, etc.
22.00.08 Compromised user id (pin code) causing job to be released
22.00.09 Introduction of a malicious software to open a back-door allowing remote access (for instance hard -disk
sharing allowing to see internal disks content)
22.00.10 Misconfiguration of network services allowing to retrieve submitted jobs
22.00.11 Rogue Java/MEAP/Chai application
22.00.12 Distract operator and steal input document.
22.00.13 Surfing the output bin and steal the hardcopies.
22.00.14 Fraudulent or spoofed print job that appears to be something it isn't (e.g., appears to be a fax)
22.00.14 Insert mini-digital camera that records each page as it‘s processed.
22.00.15 EM sniffing of job at hand
22.01.01 Network sniffing of print job
22.01.02 Man-in-the-middle capture/alter/resend/print job
22.02.01 Man-in-Middle type laptop inline that intercepts scanned data (and may forward to correct or incorrect
number)
22.02.02 Tampering with software noise filters to alter/damage data during scanning
22.03.01 Network sniffing of fax job (Input & output)
22.03.02 Rogue imbedded firmware applet within the device that prints or otherwise forwards outbound or
inbound data to an unauthorized e-mail address or another phone number.
22.03.03 Man-in-Middle type Fax/modem equipped laptop inline that intercepts inbound/outbound faxes (and may
forward to correct or incorrect number)
22.03.04 Unauthorized printing inbound/outbound of stored faxes
22.03.05 Tampering with fax archives
22.04.01 Unauthorized firmware changes
22.04.02 Tampering with software noise filters to alter/damage data during copier
22.04.03 Theft, removal, or swapping of hard disk in copier device after simple delete or clearing of files.
22.04.04 Unauthorized access to any copied document data volatile or non volatile
22.04.05 Power failure or other interruption of machine immediately before or while the machine is attempting to
securely overwrite the hard disk
22.04.06 Residual image on copier belt or drum or hard disk due to magnetic/ionizing effects
22.04.07 Rogue applet or intentionally misconfigured firmware within device that saves copied documents and
allows them to be printed later (eg misuse of clustered print function)
22.04.08 Rogue applet or intentionally misconfigured firmware within the device that prints or otherwise forwards
copied information to an unauthorized e-mail address.
22.05.01 Modify printer email address to have jobs sent to attacker's account (Print via E-mail).
22.05.02 Modify e-mail account to duplicate all jobs to another e-mail account (Print via E-mail)
23.0 Theft of Service / Unauthorized usage including resources
23.00.01 Unauthorized use of device by stolen access codes
23.00.02 Bypass of the licensed options of the device
23.00.03 Modify device account logs used for invoices (i.e. print count)
23.00.04 Configuration change from other input (or operator panel or management application) to disable security.
23.00.05 Use the device as an agent to alter the workflow in an unauthorized way
23.00.06 Rogue VEND counter or simulator installed
23.01.06 Unauthorized printing of scanned document eg negotiable document
23.02.01 Rogue imbedded firmware that always sends scan to specific destination archive or workstation,
regardless of the one intended.
23.02.02 Rogue configuration that changes the identity of the scan device such that it does not report the correct
URL/ IP address eg chargeback is incorrect.
23.02.03 Change the destination address or mailbox address so that scans are sent to the thief instead/or in
addition to of
23.02.05 Theft of [scan] service by changing the destination address or mailbox address so that scans are sent to
the thief instead of, or in addition to, the correct destination
23.03.01 Configuration change from other input (or operator panel) to disable security.
23.03.02 Rogue imbedded firmware than always sends fax to specific number regardless of number intended.
23.03.03 Rogue configuration that changes the identity of the FAX device such that it does not report the correct
PSTN identity/phone number.
23.03.04 Dual capability modem chip set (fax/data) could be used to send fax data out via phone lines to a
computer, etc, via the data capabilities
23.03.05 Surfing the output bin for received faxes not yet picked up.
23.04.01 Unauthorized endorsements of signatures, hanko, stamp, notary stamps watermarks, etc. (eg a type of
post-printing application)
23.04.02 Unauthorized and/or illegal Bates stamp
23.04.03 Copying watermarked documents which prohibit to make copy by disabling watermark sense function.
23.04.04 Copying money by disabling the protect function.
23.04.05 Deactivate copy accounting terminal which is de-facto physical interface to connect card reader/.
23.04.06 Rogue configuration that changes the identity of the copier device such that it does not report the correct
URL/ IP address eg the chargeback happens incorrectly
23.04.07 Rogue embedded firmware that always sends copier to specific destination archive or workstation,
regardless of the one intended.
23.04.08 Modify permissions/restrictions to allow additional service capabilities/quantities or modify credentials to
allow printing as a different user.
23.04.09 Use peer-to-peer connection to device to bypass server and circumvent accounting or corporate proxy
server
23.04.10 Unnecessary services …..
23.06.01 Use per tro peer connection or unmonitored conncetion to device to bypass server and therefore
circumvent accounting
24.0 User identity theft (e.g. capturing mag-stripe info.)
24.00.01 Steal hard disk containing user lists or accounts
24.00.02 Network sniffing of user ID information (LDAP, SMB, FTP,…)
24.00.03 Steal user id, i.e. pin code, or password (social engineering)
24.00.04 Rogue imbedded firmware applet capturing and forwarding mag-stripe/biometric identity data.
24.00.05 Changing the send from details in the device configuration. So that the content appears to come from
another source
24.00.06 Using computer software to send rogue scanned messages with stolen ID (fax number, sender info.
Etc.).
24.00.07 Changing destination address
24.01.01 Using information retrieved by hacking the printer (see managed device vulnerabilities)
24.03.01 Changing the send from details (phone number etc.) in the device configuration.
24.03.02 Using computer software to send rogue or fraudulent faxes with stolen Fax ID (fax number, sender info.
Etc.) or other incorrect content.
24.03.03 Changing of Fax send shortcuts to different fax number.
24.04.01 Unauthorized endorser for signature / stamp
24.04.02 Steal hard disk containing user lists
25 Corruption or alteration of device data
25.00.01 Unauthorized replacement/modification of the Job ticket
25.00.02 Physical alteration of the platen to corrupt downstream workflow.
25.00.03 Tampering with the document/device management software to alter tracing and auditing of device usage
and document handling
25.00.04 Tampering with the document/device management software to alter tracing and auditing of device usage
and document handling
25.01.01 Fraudulent or Spoofed print job that appears to be something other (like a FAX)
25.01.02 Man-in-the-middle capture/alter/resend print job
25.02.01 Inserting unauthorized scanned data into a workflow
25.02.01 Adding information (via unauthorized device firmware) to a document making it look like it was scanned
at a different date/time/phone number than it really was.
25.02.02 Inline scan test device or computer that intercepts and replaces outgoing or incoming scans
25.03.01 Adding information (via unauthorized device firmware) to a document making it look like it was faxed at a
different date/time/phone number than it really was.
25.03.02 Inline FAX test device or computer that intercepts and replaces outgoing or incoming faxes (man in the
middle) this includes alterations that may occur in store and forward or other fax over IP environment
25.03.03 Changing date time within the device to make fax look as if it was sent/received on different date and
time
25.03.04 Replacement and/or other alteration of fax data in a store-and-forward or other fax-over-IP environment
25.04.01 Unauthorized alteration and/or illegal Bates stamp
25.04.02 Unauthorized alteration of endorsements of signatures, hanko, stamp, notary stamps watermarks, etc
25.06.01 Spreading viruses or Trojan horses by giving support for executing common file formats.
25.06.02 Device provides an open mail relay function and allows spreading of viruses and Trojan horses