Is this the title of a new horror flick? Hardly. Common sense tells us that photocopiers, scanners, printers and other office appliances of the like are harmless equipment, dumb machines that perform single routine functions. They can never pose a threat to us, especially not to network security where the most common villains are BOT-possessed workstations and unpatched servers with default (read:unsecure) configurations.

Or can they?

Just like any piece of technology, printers, photocopiers, scanners, etc. have evolved over time to become complex machines. For instance, Xerox’s PE120i WorkCentre is a combination of a fax machine, scanner, printer and photocopier. It sports network connectivity making it possible for you to scan a document and send it through email. By now you may realize where I’m getting at. The increasing complexity of such machines (deemed unworthy of being a security threat) can actually be used as new propagation and attack vectors. Their embedded systems can be exploited as well. An unassuming photocopier/scanner machine can be exploited as a drone to mount a DDOS attack in the same way BOTs make zombies out of unsecure workstations. If the machine supports the use of scripts, they can be used to execute potentially malicious programs. The scary thing about this is that most people view such equipment as just dumb machines and do not subject them to the same level of security that befits servers and workstations. So this blog entry serves as a heads up: we may get to see some of the things I’ve mentioned in the near future.

And oh, before I forget to mention it, we’ve received a Proof of Concept for exploiting the Xerox WorkCentre just this morning…