Printer Vulnerability Exposed by Indiana U Security Engineer

Security engineers in the Information Technology Security Office (ITSO) at Indiana University were at a loss when a user described a network-connected multifunctional printer that was acting strangely--even printing spam e-mail messages onto paper.

While investigating the printer problem, Nate Johnson, Indiana U's lead security engineer, took a chance and tested the printer for vulnerability to a File Transfer Protocol (FTP) Bounce Attack, a method used by malicious computer hackers to relay a network scan through another device, essentially covering their tracks online.

Johnson's hunch paid off, and with the maneuver, he discovered a security risk in a widely used family of Canon printers.

ITSO provides active security analysis, development, education, and guidance related to Indiana U's information assets and IT environment.

Johnson and ITSO recently published the vulnerability, having already alerted Canon to the problem. UISO has published four disclosures in the last two years.

Johnson's test--a common tactic for security professionals hoping to find holes in network security--revealed a vulnerability in the network configuration of certain printers and other devices in the Canon imageRUNNER series. These multifunctional printers are the size of a traditional copying machine and include network access that can leave them open to misuse if not properly configured. Hackers can exploit the device's Internet connection and treat it as a proxy from which to attack other sources, while concealing their own location.

"I stumbled across the security vulnerability," said Johnson. "The customer was having a problem with a printer, and on a whim I tested it. Hopefully, now that we have published the risk, people and businesses with these devices will take another look at their inventory."

Workarounds to the vulnerability include disabling FTP printing, setting up a username and password challenge to protect FTP printing or having a Canon service technician install a firmware update. A report posted on the campus' security office site states, "Additionally, best practices suggest that access controls and network firewall policies be put into place to only allow connections from trusted machines and networks."

According to Canon, the FTP command isn't used for printing from the printer driver. It only affects those imageRUNNER machines that have the FTP print setting on.

To view the detailed alert reported by UISO, visit   https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack.

To view the alert from Canon, visit  http://www.usa.canon.com/html/security/office_security.html.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • Abstract neural network 3D illustration

    IntelĀ® AI EmpowerED: The AI-Ready Campus, Delivered

    Artificial intelligence is transforming higher education, prompting institutions to rethink how they manage infrastructure, security, governance, and workforce readiness. Successful adoption requires a strategic, institution-wide approach that aligns AI initiatives with educational goals, faculty enablement, and scalable operational frameworks.

  • Jason Palm

    AI, Identity, and Speed: Cybersecurity Priorities for Higher Ed

    Fortinet Security Operations Specialist Jason Palm explains how AI is raising new security challenges for higher education, requiring stronger governance, identity protection, threat detection, automation, and incident readiness.

  • person typing on a touch screen schedule plan calendar

    DOJ Extends Deadline for ADA Title II Compliance

    Institutions working to meet the Americans with Disabilities Act Title II regulations for digital accessibility have received a temporary reprieve: The United States Department of Justice has published an interim final rule to push back the compliance deadline by one year.

  • Profile silhouette of a person thoughtfully touching their chin, overlaid with transparent data visualizations and digital interface elements suggesting artificial intelligence and analytics.

    The Institutional Knowledge Shift Is Reshaping Higher Ed IT

    Higher education IT leaders are navigating a quiet but consequential transition: Experienced team members are retiring or leaving for private-sector roles, and the teams replacing them are smaller, newer, and often stretched thin. The result is a structural shift in how technology decisions are made, executed, and sustained.